1. Symantec/
  2. Security Response/
  3. W32.Dumaru.Z@mm


Risk Level 2: Low

January 25, 2004
February 13, 2007 12:16:38 PM
Also Known As:
W32/Dumaru.z@MM [McAfee], Win32.Dumaru.Z [Computer Assoc, I-Worm.Dumaru.l [Kaspersky], WORM_DUMARU.Z [Trend]
Systems Affected:

W32.Dumaru.Z@mm is a multi-threaded, mass-mailing worm that downloads and runs a file, runs a keylogger, and attempts to steal personal information. This worm is similar to the W32.Dumaru.Y@mm worm.

The email has the following characteristics:

From: "Elene" <F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip

The attachment is a zip file that contains the worm executable as myphoto.jpg  <spaces> .exe". (There are numerous spaces between ".jpg" and ".exe".)

A large number of email messages were sent purporting to be from Microsoft, with a link to a Web page. This email exploits a bug in Microsoft Internet Explorer so that, although the link appears to be to www.microsoft.com, it is actually a link to a Web page that contains a Visual Basic script, which drops W32.Dumaru.Z@mm onto your computer under the name C:\2.exe.

The email that was sent is an HTML email message with the following characteristics -

Note: This is not the email that the worm sent itself, but it is rather an email sent to deceive people into downloading the worm:

From: "Security-center" [security-center@microsoft.com]
Subject: Security warning
Message: MicroSoft News
Warning: a new virus, W32.Swen.A@mm, can infect your computer.

MicroSoft user,
this is the latest version of security update, the "January 2004, Cumulative Patch" udate which eliminates all known security vulnerabilities afecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to maintain the security of your computer from these vulnerabilities. This update includes the functionality of all previously released patches.

[text omitted]

[end of email text].

The message includes two links named "Go to Download page."

Antivirus Protection Dates

  • Initial Rapid Release version January 26, 2004
  • Latest Rapid Release version October 25, 2017 revision 035
  • Initial Daily Certified version January 26, 2004
  • Latest Daily Certified version October 26, 2017 revision 003
  • Initial Weekly Certified release date January 26, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Fergal Ladley

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube