Virus Database

Exploit.IIS.Beavuh

Description Exploit.IIS.Beavuh

Beavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, which is described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001.
The MS01-23 Security Bulletin can be viewed at the following location:
www.microsoft.com/technet/security/bulletin/ms01-023.asp
This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.
The exploit program has the following parameters:
a destination IP address
a destination port number
an IP address/port to which the exploiting code will connect back with the command shell.
The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library ("kernel32.dll"). From there it will acquire the 'offset' of the 'GetProcAddress' function and will further use it to obtain a couple of other API addresses, both from "kernel32.dll" and "wsock32.dll".
Next Beavuh connects to the address specified by the attacker, launches the executable "cmd.exe" and links the input and output of the command shell to the socket opened to the attacker's control machine.
Recommendations
Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check:
www.kasperskey.com/support.html?chapter=47

Check other viruses! Be aware! Use Antiviral Software

Arcs.1194

Description Arcs.1194

It is a harmless nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM), then writes itself to the end of the file. The virus contains the text strings:
*.com
DOS ARCS
V V2 ****

Arcv.335

Description Arcv.335

These are not dangerous viruses. They search for COM- and EXE-files and infect them by a standard manner. Some of the "Arcv" viruses use polymorphic algorithms. These viruses contain the following text strings:
"Arcv.335": [ARCV-6] Apache *.com
"Arcv.839": [ARCV-5] Apache Warrior, ARCV. Pres.
"Arcv.541": [ARCV-7] Apache ARCV. *.exe
"Arcv.562": [X-1] ICE-9
"Arcv.639": [ARCV93] ICE-9
"Arcv.651": [ARCV-3] Apache Warrior.
"Arcv.664": [ARCV-4] Apache Warrior, ARCV Pres. *.exe *.com
"Arcv.670": Made in ENGLAND. [ARCVXMAS] by ICE-9 Released June 1992.
"Arcv.679": Naughty, Naughtyall ARCV Productions Ltd. [ARCV-8] *.exe
"Arcv.693": [ARCV-2] Apache Warrior, ARCV. Pres.
"Arcv.718": [SOLOMoN] ICE-9
"Arcv.745": [ARCV-9] Apache Warrior. *.com
"Arcv.773": [Slime] By Apache Warrior, ARCV Pres.
Sliming around your PC,
I go make a sticky MESS over your Hard Drive!
"Arcv.795": [SCROLL] ICE-9 ARcV COMMAND.COM
"Arcv.795.b": [X-2] ICE-9, -< ARCV >- Made in England.
Hi I'am called X-2, get my name right!
Look out for the X-3 twins.
"Arcv.826": [ARCV-1] Apache Warrior, ARCV Pres.
"Arcv.827": [ARCV-10] Apache Warrior.
"Arcv.839": [FRIENDS] i486X
"Arcv.916": [JO] By Apache Warrior, ARCV Pres.
"Arcv.916.b": JO Exersiser Virus. Apache Warrior, ARCV Pres. [JOEXE]
"Arcv.965": [Joshua]
"Arcv.986": [JO] By Apache Warrior, ARCV Pres.
"Arcv.1060": [X-3b] ICE-9 (c) 1992 ICE-9
Written Oct 1992 Look out 4 future Releases
"Arcv.1072": [ReaperMan] Apache Warrior
"Arcv.1172": [Sandwich] By Apache Warrior, ARCV Pres.
"Arcv.1208": [SCYTHE] Apache Warrior, ARCV Pres.

"Arcv.795" scrolls up the screen.
On March 3rd, "Arcv.562" types the following messages:
ICE-9 Presents
In Association with
The ARcV
[X-1]
Michelangelo activates
-< TOMORROW >-

In January, "Arcv.639" types:
Happy New Year from the ARCV
Released 1 June 1992.
Made in England by ICE-9

In February, "Arcv.657" types the messages:
Yo.. I`ve Just Found a Virus.. Opps.. Sorry I`m the Virus.
Well let me introduce myself.. I am ARCV-3 Virus, by Apache Warrior.
Long Live The ARCV and Whats an Hard ECU?
Vote Yes to the Best Vote ARCV..

On May 9, "Arcv.664" types the messages:
So Who`s the Best Then?
Oh Well Sorry But The ARCV Are The Best!
Well Your in Favor with Us then.

In December, from the 20th until 25th, "Arcv.670" types:
Happy Xmas from The ARCV.

In April, "Arcv.693" types:
Help.. Help.. I`m Sinking........

"Arcv.718" types:
Hello Dr Sol.
&
Fido.
Lurve U lots
ICE-9
(c) 1992 ARCV.
P.S.
Apache sez Hi(Dos)

On June 15, "Arcv.826" types:
Long Live The ARCV. MUFC for the League!
(c) Apache Warrior, ARCV Pres. 92
Welcome to the REAL World. And the ARCV 1 Virus!

"Arcv.827" types:
Well its finally here The -= ARCV =-
Welcome To our New Members..........

On December 10, "Arcv.916" types:
Looking Good Slimline Joanna.
Made in England by Apache Warrior, ARCV Pres.
Jo Ver. 1.11 (c) Apache Warrior 92.
I Love You Joanna, Apache..

"Arcv.965" types:
---------------------------------------------------
ƒ Guess what ??? ƒ
ƒ You have been victimized by a virus!!! Do not ƒ
ƒ try to reboot your computer or even turn it ƒ
ƒ off. You might as well read this and weep! ƒ
---------------------------------------------------

"Arcv.986" displays:
This is Dedicated To the Girl I Love, Joanna Dicks.
Made in England by Apache Warrior, ARCV Pres.
Jo Ver. 1.01 (c) Apache Warrior 92.
I Love You Joanna, Apache..

"Arcv.1060" displays:
THE TWINS
[X-3a] & [X-3b]
ARE ON YOUR PC.
ICE-9

"Arcv.1072" displays:
Reaper Man.
(c) 92, Apache Warrior, ARCV Pres.

"Arcv.1172" displays:
Which ARCV Member Likes a
Sandwich?
Cheese, Beef Spread, Cucumber and Crisp
Corned Beef and Salad Cream
Jaffa Cake and Hamster on Rye
Is it A. Apache Warrior
B. ICE-9
C. Slartibartfast
Select a Letter:
Well you know you`re ARCV Members.
Bad Luck.. Better Luck Next Time.

On December 12, "Arcv.1208" displays:
This is the Scythe for Reaper Man.
Beware I`m Sharp!
Made in England by Apache Warrior, ARCV Pres.
Scythe Ver. 1.01 (c) Apache Warrior 92.
Reaper Man Swung The SCYTHE and the PC Died!

Arcv.Anna.742 and 745
It displays the message:
[ANNA] Slartibartfast, ARCV NuKE the French
Have a Cool Yule from the ARcV
xCept Anna Jones
I hope you get run over by a Reindeer
Santas bringin' you a Bomb
All my Lurve - SLarTiBarTfAsT
(c) ARcV 1992 - England Raining Again

Arcv.Alpha.743
This is a dangerous non-memory resident encrypted parasitic virus. It searches for a .COM-files, and writes itself to their end. On March 5, it types
Youre PC has ALPHA virus.
Brought to you by the ARCV.
Made in ENGLAND.

and hangs up the computer. It also contains the internal texts:
*.com *.*
[ALPHA] by ICE-9
Released July 1992.

Arcv.Benoit.1183
This is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and infects .EXE-files upon opening or execution. Sometimes it types:
[BENOIT] ICE-9.
Made in Engalnd.

and hangs up the computer. It contains the internal text also:
Release 5th November 1992 (c) 1992 ICE-9. Dedicated to Benoît B. Mandelbrot

Arcv.Ice
These are non-memory resident harmless parasitic viruses. They search for .COM-file of the current directory, and write themselves at the file end. "Arcv.Ice.250 and 330" encrypt themselves. These infectors contain the text string "*.COM" and
"Arcv.Ice.159": [159] ICE-9
"Arcv.Ice.199": [199] ICE-9
"Arcv.Ice.224": [224] ICE-9
"Arcv.Ice.250": [250] ICE-9

In July, "Arcv.Ice.330" types: "[330] by ICE-9".
Arcv.Ice.642 and 678
These are benign memory resident parasitic viruses. They hook INT 21h, and write themselves at the end of .COM-files that are opened or executed. At the beginning of January, they decrypt and display the message:
Happy New Year from the ARCV
Released 1 June 1992.
Made in England by ICE-9

They also contain the internal text: "[ARCV93] ICE-9 r51xP".
Arcv.Joanna
This is a benign memory resident parasitic encrypted virus. It hooks INT 21h, and writes itself to the end of .COM-files executed or opened. Sometimes it types one of the following messages:
Looking Good Slimline Joanna.
Made in England by Apache Warrior, ARCV Pres.
Jo Ver. 1.11 (c) Apache Warrior 92.
I Love You Joanna, Apache..

It contains the internal text string also:
[JO] B_ Apache Warrior, ARCV Pres.

Arcv.More.649
This is a benign memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM- and EXE-files executed. It types:
OH NO NOT MORE ARCV.

It also contains the internal text:
[MoRE] ICE-9

Arcv.Zaphod.399
This is a dangerous non-memory resident parasitic virus. It searches for .COM-files of current directory, and writes itself to the file end. On February 28, it decrypts and types the message "Greetings from ZAPHOD." and then hangs up the computer.
Arcv.Dennis
This is a benign memory resident encrypted parasitic virus. It hooks INT 21h, and infects COM- and EXE-files upon their execution. Sometimes it types:
To Dennis Yelle You Need A Pay Rise!
McAfee Eat Lead..........

and cracks by the internal computer speaker. It also contains the internal text also: "[Dennis-1] Apache Warrior, -= ARCV =- President.".
Arcv.Mcwhale
This is a benign non-memory resident encrypted parasitic virus. It searches for COM- and EXE-files and writes itself at their end. It types:
......................................BEWARE!!!
................................Anti-Virus.....Man
.....John.....McAfee.....wrote.....the.....WHALE.....virus!!!
..............................HONEST!!!
....................................

It contains the internal text string also:
by ABRAXAS - (c) 1992 Abraxas Warez

Home