Virus Database

Fasolo.149

Description Fasolo.149

These are dangerous non-memory resident overwriting viruses. They search for .COM-files and overwrite them. On December 4th, they erase hard drive sectors. The viruses contain the internal text strings:
*.com
_ Fasolo VIRUS _

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Choke

Description I-Worm.Choke

This is the worm virus spreading via the Internet by using MSN Messenger (instant messaging program). The worm itself is Windows EXE file about 40Kb of length written in VisualBasic.
When infected file is run, the worm copies itself to C:CHOKE.EXE, then registers this file in registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Choke = C:choke.exe -blahhh
then dislays two fake messages:
Choke
This program needs Flash 6.5 to run!

Run time error
Cannot run program!, Quiting
The worm also creates the C:ABOUT.TXT file and writes following text to there:
Choke , Copyright î 1886 all A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '
The worm then gets to spreading routine. That routine waits for incoming message and replies with the text:
"President bush shooter is game that allows you to shoot Bush balzz" hahaha
and send to victim a request to receive the worm EXE file. The EXE file name is randomly selected from three variants:
choke.exe
ShootPresidentBUSH.exe
%username%.exe
where %username% is the name of victim visible in MSN network.
In case the incoming message starts with "hey!" the worm reports with information of victims that were sent by infected messages:
PPL: %n
I got %n son of a bitches.
%username%, status = %n
Send to %n ppl
%username% (request sent)
%username% (accepted)
where %username% is the name of victim visible in MSN network, and %n are different numbers.
The worm also creates the "dalist.txt" file and writes to there the list of already infected users (addresses to where the worm was sent already). The worm checks that list and does not send its copies twice to the same address.
The worm also seems to send messages to %random%@pager.icq.com addresses with the text:
From: George.W.Bush@whitehouse.gov
Text: Micro$oft invites you to use MSN Messenger!

I-Worm.Cholera

Description I-Worm.Cholera

This is a virus-worm that spreads via the Internet and local network. It appears as a "SETUP.EXE" file attached to an e-mail message that has the "Okall" subject and the message body contains just a "smile":
:-)

This attached file itself is a Microsoft C++ executable file about 40Kb in length. The majority of the file's code is occupied by C++ run-time libraries and data, and just about 7Kb of its code is "pure" worm code.
The worm got its name because of the text string in its code:
CH0LERA - Bacterium BioCoded by GriYo / 29A

This string, as well as other of the worm's data, are encrypted in the worm's body.
Installing into the system
When the worm is executed for the first time (being run from an infected attachment), it gets its module name and installs itself to the Windows directory with the RPCSRV.EXE name. To force Windows to run this file upon the next reboot, the worm writes an additional "Run=" instruction to the WIN.INI file in the Windows directory (under Win9x), or modifies a corresponding key in the system registry (under WinNT).
To locate the Windows directory, the worm does not call corresponding Windows functions, but scans all available local drives, looks for subdirectory names: WINDOWS, WIN95, WIN98, WIN, WINNT, and then looks for a WIN.INI file in the directory. If such a file is located, the worm installs itself into the directory.
As a result, the worm may create several of its copies on the same computer, and infect all Windows installations on it. In case a multiboot loader is installed, and there are several different Windows versions installed, this trick allows the virus to activate upon any Windows copy start-up.
To hide its activity, the worm displays the fake message:

Further spreading
Upon the next Windows start-up, the worm copy is activated by the Run command in the WIN.INI file. It takes control, registers itself in the Windows memory as a hidden application (invisible service) that also allows the worm to stay active whenever a user logs off. The worm then runs two more routines in addition to the installation one. The first of these new routines spreads the worm through the local network, and the second one sends infected e-mail messages. The installation routine is also active, and the worm is able to infect a new Windows copy if it appears on the computer. All the routines are run as main-process threads, so they do their work in parallel.
The first of the new routines spreads the worm copy through the network. It enumerates all network drives, scans them for Windows directories, copies the worm's RPCSRV.EXE file to there and registers it in the WIN.INI file in the same remote directory. As a result, upon the next rebooting the worm on a remote computer will be activated and spread itself further.
The second routine sends infected messages to the Internet addresses. To send its copy, the worm uses SMTP protocol and sends itself by direct connection, and as a result, the worm spreading does not depend on the type of e-mail application that is used in the system.
Once per six seconds, this routine enumerates all active program windows and looks for Internet applications: Outlook, Cuteftp, Internet Explo, Telnet, Mirc. If any of these applications is active, it means that the computer is connected to the Internet (this is necessary because of the direct SMTP connection used by worm).
The worm then gets SMTP server address and user e-mail addresses from the system registry keys, builds a new message, attaches its copy with the SETUP.EXE name and sends it.
The Internet addresses to where the worm sends its copies are collected from disk files in the Windows directory and subdirectories. The worm scans all files there, searches for files with extensions .HTM, .TXT, .EML, .DBX, .MBX, .NCH, .IDX, and then scans these files and gets email-address-like strings from there. Upon each sending, the worm sends itself to not more than ten addresses.

Home