Virus Database

I-Worm.Dumaru.j

Description I-Worm.Dumaru.j
This worm is part of the Dumaru family, which spreads via the Internet as files attached to infected messages. The worm includes a backdoor function and a Trojan program which enables it to steal information. The worm is a Windows PE EXE file, compressed using FSG. The compressed file is approximately 17KB in size, and the decompressed file approximately 43 KB in size.
Installation
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register as a key to enable autorun:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
load32 = %windir%\%system%l32x.exe
On computers running under Windows 95,98 and ME, the worm changes a section in the system.ini file
[boot]
shell=explorer.exe %System%vxd32v.exe
Mailing of messages
The worm searches all directories on accessible local disks for files with the extensions: .htm, .wab, .html, .dbx, .tbb, .abd, highlights lines which are email addresses and then sends infected messages to these address. To do this, the worm creates a Zip archive (zip.tmp) in the Windows temporary directory, which will then be added to messages as an attachment.
The worm also creates a file called winload.log in the Windows directory, and writes all email addresses found, to which infected messages have been sent, to this file. Infected messages have the following characteristics:

Sender's address:
Elene F*****SUICIDE@HOTMAIL.COM
Message header:
Important information for you. Read it immediately !
Message body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
In order to send messages, the worm uses its own SMTP engine, giving the return address as address@dyandex.ru. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
Other
The worm opens port 10000 to receive commands for administration of the infected computer. The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Kaspersky Labs anti-virus databases have already been updated with protection against I-Worm.Dumaru.j.

Check other viruses! Be aware! Use Antiviral Software

Kasimir family

Description Kasimir family

These are dangerous nonmemory resident parasitic viruses. They search for .EXE files and write themselves to the end of the file. Since 1994 they erase the FAT on the C: drive and display the message:
KASIMIR STRIKE NOW!

The viruses also contain the text:
SV00 Lubj

Kasiunia.3773

Description Kasiunia.3773

It is a dangerous memory resident parasitic polymorphic and stealth virus. It writes itself to the end of EXE-files. When an infected file is executed, the virus hits the C:NCNC.EXE file, then it hooks INT 9, 10h, 17h, 1Ch, 21h. The virus infects the files when intercepts DOS calls Close, FindFirst/Next ASCII.
The virus manifests itself in different ways. It drops the C:KASIUNIA.LZH archive that I cannot unpack, while executing of TD.EXE file the virus displays (the grammar mistake is in the original text):
Dual memory acces - uncorrect internal Turbo Debuger error.
Please run TD286.EXE to work without this error.

The virus also patches the system memory at random selected addresses, deletes anti-virus data files, beeps by PC speaker, changes the symbols that are displayed. The virus also contains the text strings:
Win
C: CNc.exe
CPSTAGTD.MSACPA
c:KasIuNiA.lZh
Panie Marku, przepraszam, ale to moj 2 wirusall

Home