Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Dumaru-AH

Feb 16, 2004 12:50AM PST

Aliases
Win32/Dumaru.U, I-Worm.Dumaru.n, W32.Dumaru.AH@mm, WORM_DUMARU.AC, Win32.Dumaru.AA@mm

Type
Win32 worm

W32/Dumaru-AH is a worm that spreads via email. The worm also has backdoor functionality and will steal password and system information from the victim's computer.
W32/Dumaru-AH arrives as an email with a file attachment named document.zip. Document.zip contains a file named myphoto.jpg<56 spaces>.exe. When this file is executed a file named nload.exe is dropped to the root folder and is executed.

When the worm is first executed a small JPG image of a blonde lady is displayed.

W32/Dumaru-AH copies itself to files named 1111a.exe and 1111c.exe in the Windows system folder and 1111b.exe in the startup folder. The following registry entries are created to ensure that the worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = 1111a.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
= explorer.exe C:\<Windows&gtMischief<System>\1111c.exe

Additionally a line is added to the 'shell=' line of the system.ini file pointing to a copy of the worm.

Read more: http://www.sophos.com/virusinfo/analyses/w32dumaruah.html

Discussion is locked