Virus Database

EVC.161

Description EVC.161

It's a dangerous memory resident overwriting virus. It hooks INT 21h and overwrites all the files that are executed. It displays:
MaKe ViRii oUT T aSS

It contains the internal text string also:
EVC 1.0

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Tanatos.a

Description I-Worm.Tanatos.a
Tanatos.a, also known as BugBear.a is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines.
The Tanatos worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++.
The infected messages have different Subjects, Bodies, and Attached file names.
The worm sends messages of two types (which it randomly selects). In first case, in order to run from the infected message the worm exploits the IFrame security breach (as a result the worm activates when a message is being opened or previewed in vulnerable (victim) systems). In the second case the worm does not use "breach tricks" and the attached worm copy activates from infected email only in case a user clicks on the attached file. The Tanatos worm got its name from the text string appearing in its code:
Project Tanatos
Installing
While installing the worm copies itself to the Windows system directory under a random name and registers itself in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
The worm's EXE filename depends on the C: volume name, for example:
FYOM.EXE
YOK.EXE

The worm also places a DLL file in the Windows system directory under a random name and uses this file to 'spy' on and record all keyboard input.
Spreading: Emails
To send infected messages Tanatos uses a direct connection to the default SMTP server. Victim email addresses are gotten from the following file types:
*.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX,
*INBOX*
The Tanatos worm searches for these files in the system and extracts email-like strings from them.
The Subject field is selected from the following variants:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Helpall
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!

Additionally, the message Subject can be randomly selected by "Tanatos" from a randomly selected disk file.
The message Body is randomly selected by Tanatos from a randomly selected disk file.
The attached file name is also randomly selected and it may have a double extension, for example:

filename.XLS.SCR

Spreading: Network
Tanatos enumerates network resources shared for writing, looks for the startup folder and copies its file to this folder (if found).
This routine has a bug and the worm also sends copies of itself to shared network printers.
Backdoor
The backdoor routine opens port 36794 where it then listens for "master" commands (from the person or people who are controlling it). The backdoor routine grants control over infected machines, giving those who control Tanatos the ability to send/receive/copy/execute files, terminate processes, send out user info. etc.
Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines.
PSW Trojan
The worm also has a trojan routine that sends user info and cached passwords to several email addresses that are encrypted in the worm body.
Other
Tanatos looks for the following applications and tries to terminate them:

I-Worm.Tanatos.b

Description I-Worm.Tanatos.b
Tanatos.b (aka Bugbear.b) is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos

Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file

Tanatos also creates the following file in the Windows directory: %rnd name%.dat - its internal data file

and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy

Spreading
To send infected messages the worm uses a built-in SMTP engine. The worm searches for victim emails in following files on the available disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX

The infected messages have different Subject, Body, and File Attachment names that are selected from many variants:
Subject:

The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe".

2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

The file name extension is also randomly selected from the same variants:
".scr", ".pif", ".exe".

3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files and uses their full names as the %filename% for the infected attachment. In this case they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif

4. "setup.exe"

The infected emails randomly have the IFrame security breach that runs upon the opening the an infected email. In the rest of the messages the worm activates only when a user clicks on the attached file.
Infecting EXE files
While infecting a file the worm writes itself to the end of the file. The worm's copy is "incorporated" into the victim machine's file structure as a "standard" .EXE file in the "Program Files" directory. Copy names include:
winzipwinzip32.exe
kazaakazaa.exe
ICQIcq.exe
DAPDAP.exe
Winampwinamp.exe
AIM95aim.exe
LavasoftAd-aware 6Ad-aware.exe
TrillianTrillian.exe
Zone LabsoneAlarmoneAlarm.exe
StreamCastMorpheusMorpheus.exe
QuickTimeQuickTimePlayer.exe
WS_FTPWS_FTP95.exe
MSN Messengermsnmsgr.exe
ACDSee32ACDSee32.exe
AdobeAcrobat 4.0ReaderAcroRd32.exe
CuteFTPcutftp32.exe
FarFar.exe
Outlook Expressmsimn.exe
RealRealPlayer ealplay.exe
Windows Media Playermplayer2.exe
WinRARWinRAR.exe
adobeacrobat 5.0 eaderacrord32.exe
Internet Exploreriexplore.exe

in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe

Infecting - networks
The Tanatos.b worm accounts for all network resources, then copies itself to available resource (drives) startup folders using random .EXE names or the name, "setup.exe". The worm also looks for "standard" .EXE files (the same list as above) on shared resource drives, and infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports active applications
- terminates requested application
- runs local file by master's request
- receives a file from master and runs it
- logs keyboard and sends it to master
- opens HTTP server

Other
Tanatos.b terminates active debuggers, anti-virus and firewall processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE
VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE
TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE
SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE
RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE
PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE
NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE
NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE
JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE
ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE
FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE
F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE
DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE
CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE
AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE
AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE
AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE
_AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE

The Tanatos.b worm also gets cached passwords and sends them to its "master".

Home