Aliases
Win32/Dumaru.U, I-Worm.Dumaru.n, W32.Dumaru.AH@mm, WORM_DUMARU.AC, Win32.Dumaru.AA@mm
Type
Win32 worm
W32/Dumaru-AH is a worm that spreads via email. The worm also has backdoor functionality and will steal password and system information from the victim's computer.
W32/Dumaru-AH arrives as an email with a file attachment named document.zip. Document.zip contains a file named myphoto.jpg<56 spaces>.exe. When this file is executed a file named nload.exe is dropped to the root folder and is executed.
When the worm is first executed a small JPG image of a blonde lady is displayed.
W32/Dumaru-AH copies itself to files named 1111a.exe and 1111c.exe in the Windows system folder and 1111b.exe in the startup folder. The following registry entries are created to ensure that the worm is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = 1111a.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
= explorer.exe C:\<Windows>
<System>\1111c.exe
Additionally a line is added to the 'shell=' line of the system.ini file pointing to a copy of the worm.
Read more: http://www.sophos.com/virusinfo/analyses/w32dumaruah.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic