Discovered on: February 03, 2004
Last Updated on: February 03, 2004 04:02:28 PM
W32.Dumaru.AD@mm is a multi-threaded, mass-mailing worm that downloads and runs a file, runs a keylogger, steals personal information, and starts an FTP server on port 10000. This worm is similar to the W32.Dumaru.Z@mm worm.
The worm uses its own SMTP engine to spread to the email addresses it finds on an infected system.
The email has the following characteristics:
From: "Elene" <F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip
The attachment is a zip file that contains the worm executable as myphoto.jpg <spaces> .exe". (There are numerous spaces between ".jpg" and ".exe".)
Message:
Hi !
Here is my photo, that you asked for yesterday.
--------------------------------------------------------------------------------
Note: The email message contains an IFRAME exploit, so that Microsoft Outlook will download the worm from a hard-coded URL and execute it.
--------------------------------------------------------------------------------
Also Known As: I-Worm.Dumaru.gen [Kaspersky], W32/Dumaru.gen@MM [McAfee]
Variants: W32.Dumaru.Z@mm
Type: Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.ad@mm.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic