This worm is a part of the Dumaru family, which spreads via the Internet as files attached to infected messages.
The worm includes a backdoor function and a Trojan program which enables it to steal information.
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register:
"load32" = "%windir%\%system%\l32x.exe"
The worm searches all directories on accessible local disks for files with the extensions htm, wab, html, dbx, tbb, abd, highlights lines which are email addresses and then sends infected messages to these address.
Infected messages have the following characteristics:
Important information for you. Read it immediately !
Here is my photo, that you asked for yesterday.
In order to send messages, the worm uses its own SMTP engine, giving the return address as firstname.lastname@example.org. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
The worm opens port 10000 to receive hacker's commands.
The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Remove this worm by antivirus (also check How To Remove section)Startup Optimizer.