Virus Database

Fair Family

Description Fair Family

These are not dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed.
Fair.2083
While executing some file (the virus checks the beginning of the file), the virus displays the message:
This is an [ illegal copy ] of KeyPress virus remover
System Halted

This virus also contains the text:
Eternal Fair

Fair.2340
This virus does not infect the files SCAN.EXE and COMMAND.COM. When the virus intercepts the access to an already infected file, it increases its internal counter. When that counter reaches 800h, the virus displays:
Time Machine, Running.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Yarner

Description I-Worm.Yarner

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 434Kb in length, and it is written in Delphi. The worm was discovered on 18-19 February 2002, and it has a very dangerous payload.
The infected messages have the original sender's e-mail address or fake sender address in the "From" field.
"True" e-mail: Trojaner-Info [%TrueEmail%]
Fake e-mail: Trojaner-Info [webmaster@trojaner-info.de]
Other data in messages appears as follows:
Subject: Trojaner-Info Newsletter %CurrentDate%
Attachment: yawsetup.exe
where %CurrentDate% is the current date, for example, "18.02.02", "19.02.02".
Body:
Hallo !

Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:

1. YAW 2.0 - Unser Dialerwarner in neuer Version

************************************

1. YAW 2.0 - Unser Dialerwarner in neuer Version
Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
unter andreas@ants-online.de zur VerfØgung. Viel Spañ mit YAW!



************************************

Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
angenehme Woche.

Mit freundlichem Gruss

Thomas Tietz & Andreas Ebert


************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
entsprechende E-Mail.
************************************

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs a spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows directory with up to 100 symbols and a random .EXE name and registers this file in the system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce %RandomText% = %WormName%
where %WormName% is the worm copy name, and %RandomText% is another up to 100 symbols of a random string, for example:
ddfUdEDshaSEYadkWBUdFrnKlFWReyHQpTWCqMkkTRhHoIqHMZugxnPTXF.exe
The worm then renames the NOTEPAD.EXE file in the Windows directory with NOTEDPAD.EXE and replaces the original NOTEPAD.EXE with its copy. Thus, the worm creates its additional copy, and will start again when a text file is being opened with Notepad.
The worm also creates two additional files in the Windows directory with the following names:
kerneI32.daa - the worm writes victim e-mails to there
kerneI32.das - the worm writes known SMTP servers to this file
Spreading
To send infected messages, the worm uses a direct connection to the default SMTP server.
The worm obtains victim e-mail addresses in two different ways: First, it gains access to the MS Outlook address book and obtains all e-mail addresses from there. Next, the worm scans all .PHP, .HTM, .SHTM, .CGI, .PL files in all subdirectories in the Windows directory and obtains all e-mails from there.
Payload
After successfully sending an infected e-mail, the worm, in one case in ten, deletes all files on a drive where Windows is installed.

I-Worm.Zafi

Description I-Worm.Zafi

This worm spreads via the Internet as an attachment to infected messages. It is 11776 bytes in size.
Characteristics of infected messages
Sender:
kepeslapok@meglep.hu
Message body:
Tisztelt felhasznalo!

Onnek kepeslapja erkezett!
A kepeslap feladoja: Leva
A lapot az alabbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellekelt internetlink kattintasaval.

Udvozlettel: Matav e-card!
http//www.netezz.matav.hu/
Attachment name
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv255
Propagation
The worm searches disks C, D, E, F, G, H for files with the following extensions, and harvests email addresses from these files:
adb
asp
avi
bmp
cab
com
dbx
dll
eml
exe
gif
htm
ico
iso
jpg
lnk
mbx
mp3
mpg
php
pk3
pmr
rar
sht
swp
tbb
txt
vxd
wab
wav
wmv
zip


If any of the words listed below are found in an address, the address will be ignored.
anti
avp
f-prot
gov
hotmail
microsoft
norton
panda
trendmicro
vir
Installation
The worm creates the following keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
The key value is a link to a copy of the worm in the system directory. The file name is randomly generated by the worm.
[HKLMSoftwareMicrosoftHazafi]
The key values of R1 - RA are the user name, user email, links to a copy of the worm in the system directory and links to the files which contain the email addresses harvested by the worm. All file names are randomly generated by the worm.
Other
Immediately following launch, the worm checks the current system date. If the local system date is 01.05.2004, the following dialogue box will be displayed. The worm will not work after 02.05 2004.

The worm terminates the following processes:
dfw.exe
fsav32.exe
fsbwsys.exe
fsgk32.exe
fsm32.exe
fssm32.exe
fvprotect.exe
mcagent.exe
navapw32.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netarmor.exe
netinfo.exe
netmon.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
outpost.exe
pccguide.exe
pcciomon.exe
regedit.exe
regedit32.exe
taskmgr.exe
tnbutil.exe
vbcons.exe
vbsntw.exe
vbust.exe
vsmain.exe
vsmon.exe
vsstat.exe
winlogon.exe
zonalarm.exe

Home