Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Dumaru.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload Installs a keylogger
Detection files published 18 Aug 2003 03:00:00
Description created 17 Sep 2003 07:42:00
Description updated 17 Sep 2003 07:42:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Dumaru.A@mm

Spreading

When the worm is first run, it copies itself to the following locations: [WINDIR]\dllreg.exe[SYSTEMDIR]\load32.exe[SYSTEMDIR]\vxdmgr32.exeThe follwing registry key is created:"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "load32"="[SYSTEMDIR]\load32.exe" The following entry in [boot] section of SYSTEM.INI is created:"shell"="explorer.exe [SYSTEMDIR]\vxdmgr32.exe"The following entry in [windows] section of WIN.INI is created:"run"="[WINDIR]\dllreg.exe"In addition, it installs a backdoor in the location [WINDIR]\windrv.exe.The worm scans files of types .htm .wab .html .dbx .tbb .abd for email addresses to send itself to.The worm also attempts to connect to IRC servers and joins a channel there.

Payload Details

The worm installs a keylogging utility. This is detected by NVC as W32/Narod.A.

Analysis

n/a

Removal

This worm is detected as W32/Malware by the Lumension Sandbox prior to the publishing of definition files.


Last Updated: 12 Nov 2015 11:06:15