Threat Description



Category: Malware
Type: Worm
Platform: W32
Aliases: Dumaru, W32.Dumaru@mm


This mass-mailer worm was discovered on 19th of August, 2003. Dumaru is a file infector and a mass-mailer worm which tries to disguise itself as a security patch coming from Microsoft. The worm drops an IRC-controlled backdoor component to the infected system.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Dumaru is packed with an unmodified version of UPX. The unpacked size of the worm is 20480 bytes.

When first run the worm infects the system by placing several of its copies in the system.

One copy goes to the System Directory as 'load32.exe' which is added to the registry as:

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32'

Another copy of the worm is placed to the Windows Directory using the file name 'dllreg.exe' and added to 'win.ini' as follows:

[windows]  Run=dllreg.exe   

Third one is copied to System Directory as 'vxdmgr32.exe' which is registered to 'system.ini':

[Boot]  Shell=explorer vxdmgr32.exe   

The backdoor is dropped to the Windows directory as 'windrv.exe'and started. This file is detected by F-Secure Anti-Virus as Backdoor.Small.d.

Email propagation

Dumaru uses its own SMTP engine to send emails with infected attachments. The worm searches for email addresses on all drives recursively in files with the following extensions:

.htm  .wab  .html  .dbx  .tbb  .abd   

Using its SMTP engine Dumaru sends infected emails to the addresses it collected. The infected emails have the following appearance:

From: "Microsoft" []  Subject: Use this patch immediately !   Dear friend , use this Internet Explorer patch now!  There are dangerous virus in the Internet now!  More than 500.000 already infected!   Attachment: patch.exe   

The email addresses the worm collects are written to a file called 'winload.log' in the Windows Directory.

File infection

If the infected system is installed on NT Filesystem Dumaru tries to infect EXE files with a companion method using the streams feature of NTFS. The original file content is copied to 'filename.exe:STR' stream and the file 'filename.exe' is overwritten with a copy of the virus. When 'filename.exe' is invoked the worm executes 'filename.exe:STR' instead.


F-Secure Anti-Virus detects these worm variants with:

Detection Type: PC
Database: 2003-08-30_02

Technical Details:Ero Carrera and Gergely Erdelyi, 19th of August, 2003


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More