Virus Database

I-Worm.Potok

Description I-Worm.Potok

This is a family of Internet worms that spreads via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook, and send themselves to addresses that are stored in the MS Outlook Address Book.
The worms are written in the scripting language "Visual Basic Script" (VBS), and they work only on computers on which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worms access MS Outlook, and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Outlook versions is installed.
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:
The Subject: New Generation of drivers.
Message body:
Microsoft hasCards, comp published new driver
for all types Video atible with Windows 95/98/NT/2000/XP.
You can read about it in attachment document.
Best wishes,Microsoft.
Attached file name: "driver.doc .vbs"
The file extention (".vbs") is separated by lots of spaces and sometimes may not be displayed.
Depending on the system settings, a real attached-file extension (".vbs") may not be shown. In this case, the attached-file filename is displayed as "DRIVER.DOC".
Upon being activated by a user (by double clicking on the attached file), the worm creates its exact copy in the WINDOWS directory with the "driver.doc .vbs" name.
The worm checks whether the file system is NTFS, and if it isn't, it exits. If the file system is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory, and associates four additional NTFS streams with it.
If the filesystem is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory and associates four additional NTFS streams with it.
group - adds a user to the system
mail - sends a worm's copies using Outlook
main - main part of the worm
user - adds a user to the system
Then the worm creates a temporary file ("go.vbs"), which assembles all parts of the worm into one file ("notepad.vbs"), and launches it.
The part of the worm launched from NOTEPAD.VBS sends its copy to the first 50 e-mail addresses in the Outlook address book. After mailing, the worm checks whether the operating system is Windows 2000, and if it is, adds a new user with the name "Lord_Nikon" to system.

I-Worm.PrettyPark

Description I-Worm.PrettyPark

This is a virus-worm that spreads via the Internet. It appears as a PrettyPark utility attached to an e-mail. Being executed, it installs itself into the system, then sends infected messages (with its attached copy) to addresses listed in Windows Address Book, informs a user on some IRC channel about system settings and passwords, and also may be used as a Backdoor.
The worm itself is Windows PE executable file about 37Kb in length. This file is compressed by a WWPack32 utility. Being unpacked, it appears to be a 58Kb EXE file written in Delphi, the "pure" code in the file occupies just about 45Kb. In spite of this short size for a Delphi application, the worm has many features that make it a very dangerous and fast spreading program.
When the worm is executed in the system for the first time, it looks for its copy that has already been installed in the system memory. The worm does this by looking for an application that has the "#32770" window caption. If there is no such window, the virus registers itself as a hidden application (not visible in the task list) and runs its installation routine.
While installing into the system, the worm copies its file to the Windows system directory with the FILES32.VXD filename and registers it in the system registry to be run each time any other application starts. The virus does that by creating a new key in the HKEY_CLASSES_ROOT, the key name is exefileshellopencommand, and it is associated with the worm copy with the FILES32.VXD file that was created in the Windows system folder. This file has a .VXD extension, but it is not a VxD Win95/98 driver, but, rather, a "true" Windows executable.
In case of error while installing, the worm activates the SSPIPES.SCR screen saver (to hide its activity?). If there is no such file found, the worm tries to activate the Canalisation3D.SCR screen saver.
The worm then initiates a socket (Internet) connection and runs its routines that are activated: the first one once per 30 seconds, and the other once per 30 minutes.
The first of these routines, each time when it is activated, tries to connect some IRC chat (see the list below) channel, and, by special requests, send a message to a user on these channels. In this way, the worm's author seems to catch affected stations to monitor them. The list of IRC servers the worm tries to connect is as follows:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

Being recognized by the host (virus author), the worm may be manipulated as a Backdoor Trojan horse. By a set of commands, it sends a system configuration, a disk list, directories info, as well as confidential information to the remote host: Internet access passwords and telephone numbers, Remote Access Service login names and passwords, ICQ numbers, etc. The backdoor also is able to create/remove directories, send/receive files, delete and execute them, etc.
The second routine, which is activated once per 30 minutes, opens the Windows Address Book file, reads Internet addresses from there, and sends a message to them. The message can be sent not only to private e-mail addresses, but to Internet conferences also, depending on the Address Book contents only. The message Subject field contains the text:
C:CoolProgsPretty Park.exe

The message itself contains nothing but an attached copy of the worm.

I-Worm.Prolin (a.k.a. Creative)

Description I-Worm.Prolin (a.k.a. Creative)

This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 37Kb in length, and written in VisualBasic. The worm uses a standard MW97_Melissa-like way of spreading: it opens the MS Outlook address book, obtains addresses from there, and sends its copies to these addresses. The message reads as follows:
Subject: A great Shockwave flash movie
Message text:
Check out this new flash movie that I downloaded just now all It's Great
Bye
Attach name: creative.exe

The worm then sends a "notification" message to its author and informs him about the next infected computer:
To: z14xym432@yahoo.com
Subject: Job complete
Message text: Got yet another idiot

The worm also creates its copies on the C: disk with the following names:
C:creative.exe
C:WINDOWSStart MenuProgramsStartUpcreative.exe
The second copy is placed in the auto-run directory so it will be activated upon each Windows restart.
The worm has a dangerous payload. It scans all disk drives, obtains ZIP, MP3, and JPG files, and renames them to C: drive with the following name:
C:\%victimfile%change atleast now to LINUX
for example, BGAMEX.JPG and DATA.ZIP are moved to:
C:BGAMEX.JPGchange atleast now to LINUX
C:DATA.ZIPchange atleast now to LINUX
The worm also creates the text file "c:messageforu.txt", writes the text there and adds list of removed files, such as the following:
Hi, guess you have got the message. I have kept a list of files that I
have infected under this. If you are smart enough just reverse back the
process. i could have done far better damage, i could have even
completely wiped your harddisk. Remember this is a warning & get it sound
and clear... - The Penguin
C:WINDOWSSYSTEMOOBEIMAGEXBGAMEX.JPG
C:BACKUPDATA.ZIP

I-Worm.Puron

Description I-Worm.Puron

This is a virus-worm that spreads via infected e-mails, and infects Windows EXE files on computers. The worm's routines have bugs, and in some cases, halt the computer and/or corrupt files while infecting them.
The worm code has the "copyright" text strings:
(c)Vecna
Vecna is a punk rocker nowall
Infected File Run
The worm can enter a computer via infected e-mails from the local network or from any other infected file that is executed.
When the worm starts, it extracts from an infected file its "main" code (that is "pure" virus code - Win32 PE EXE file 9.5 Kb of size), saves it to the Windows TEMP directory with a randomly selected name (for example, LNBAMKON.EXE, MMCAAHAN.EXE) and executes that file.
When the virus' "main" code gains control, it moves its file to the Windows directory that is referenced in the Registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
Common Startup = %startup%
The %startup% directory name depends in Windows version, for example:
Documents and SettingsAll UsersStart MenuProgramsStartup
%WindowsDir%All UsersStart MenuProgramsStartup
The worm moves itself to that %startup% directory with a random name that has eight randomly selected digits and an .EXE extension, for example:
00544102.EXE
17060133.EXE
37154273.EXE
The worm then executes that copy in the "Startup" directory, and deletes the first copy in the Windows TEMP directory, for example:
C:VIRUS.EXE - infected file is run
C:WINDOWSTEMPMMCAAHAN.EXE - 1st copy is created and run
C:WINDOWSAll UsersStart MenuProgramsStartup0544102.EXE - this is 2nd copy, it is created here and executed. The 1st copy is deleted then.
Because of a bug, in some cases, the worm crashes in the middle of this process, and the 1st copy is left in the TEMP directory.
When this "file moving" process is complete, the worm installs a "stealth" hook, and runs the infection and e-mail spreading routines.
Infection
The infection routine when gains control, searches for a .EXE and .SCR Windows executable file on all local and network drives, and infects them. While infecting, it obtains a block from the file middle, compresses it, and stores the compressed data and worm code in the file so that the file length does not increase.
The worm also uses a polymorphic mutation engine to make the detection and disinfection process more complex.
E-mail spreading
To spread itself, the worm connects to a SMTP mail server, and sends infected messages to e-mail addresses. Both the SMTP server name and e-mail addresses, the worm obtains from WAB data files (Windows Address Book).
The infected messages are of HTML format and have fields:
From: "Mondo bizarro" [mourning@obituary.org]
Subject: Joey is dead, man... :-(
Text: A tribute to Joey Ramone (1951-2001)
Attach: ramones.mp3.exe
The worm uses one of the security vulnerabilities (Vulnerability identifier: CAN-2001-0154) that were found in MS Windows in 2001. The result of this breach is the possibility of spawning an attached EXE file without a user's action. When an infected e-mail is opened for reading or preview, the worm's EXE file is automatically run.
Microsoft already has released a patch that eliminates this vulnerability. Additional information may be found here: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Stealth
The worm hooks FindFile and FindProcess Windows system calls (FindFirstFileA, FindNextFileA, Process32First, Process32Next). The worm processes these calls so that its copy in the "startup" directory (see above) is not reported. As a result, the worm file is not visible in files and processes lists.

I-Worm.Quamo

Description I-Worm.Quamo

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57Kb in length, and it is written in Visual Basic Script.
The infected messages contain differing subjects, bodies and attached-file names that are randomly selected from the following variants:
Subjects:
Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

Bodies (one-line texts):
Hey you, take a look at the attached file. You won't believe your eyes when you open it!
You like games like Quake? You will enjoy this one.
Did you see the pictures of me and my battery operated boyfriend?

as well as (multiline texts):
My best friend,
This is something you have to see!
Till next time

Is Internet that safe?
Check it out

Attached file:

Infected file run
The worm activates from an infected e-mail only when a user clicks on the attached file, displaying the following:

At the same time, the worm installs itself to the system. In the event that the [Next] button is pressed, nothing happens (except installation of the worm's copies to the system), and the worm's application simply terminates. When the [Cancel] button is pressed, the worm starts its e-mail spreading routine.
Installing
While installing into the system, the worm creates the new directory C:EIRAM, and copies itself using the following names:
c:eiramquake4demo.exe
f:quake4demo.exe (if this drive exists)

and then registers these files in the Registry auto-run keys:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
"quake"="c:eiramquake4demo.exe"
"Q4"="f:quake4demo.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Q4"="c:\eiramquake4demo.exe"
"quake"="f:quake4demo.exe"

Later, while sending e-mail messages, the worm also may create more of its copies in the Windows directory:
honey.exe
quake4demo.exe
setup.exe

Spreading
The e-mail spreading routine is activated only when a user presses the [Cancel] button in the message box (see above).
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Payload
Upon each start, the worm activates its payload routine, which searches for the following files: *.exe, *.xls, *.doc, *.mdb, *.htm, *.html, *.txt, *.ocx and overwrites them with the following text:
You've didn't protected your files well enough
Let this be a lesson! Never trust someone else
eiram 1999-2001

Home