Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Dumaru.Y@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Information gathering
Detection files published 23 Jan 2004 03:00:00
Description created 24 Jan 2004 08:24:00
Description updated 24 Jan 2004 08:24:00
Malware type WORM
Alias W32/Capegold-mm
Spreading mechanism EMAIL
Summary None

W32/Dumaru.Y@mm

Spreading

Upon executing, it will copy itself to the Windows System directory under the name l32x.exe, and vxd32v.exe, and to the startup directory under the name dllxw.exe.It creates the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "load32"="[SYSTEM]l32x.exe". It will also modify a string in the [boot] section of system.ini: "shell"="explorer.exe [SYSTEM]vxd32v.exe". All these changes are done in order to start the worm from bootup.The worm looks for email addresses in the follwing types of files: *.htm *.wab *.html *.dbx *.tbb *.abd It will now proceed to send itself to these addresses.

Payload Details

The worm may email out information gathered from the user’s machine.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11