Virus Database

FatherVirus.456

Description FatherVirus.456

It's a not dangerous memory resident parasitic virus. It copies itself into DOS data area at address 0000:0538, hooks INT 21h and writes itself to the end of COM-files that are executed. On December, 24th it displays the message:
+---------------------------------+
¦ Merry Xmas & a Happy New Year ¦
¦ from Father Virus! ¦
+---------------------------------+

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Antilam.gen

Description Backdoor.Antilam.gen

Antilam is a family of remote administration trojan programs. The backdoor code allows remote users to control victim computers over a local network or the Internet. Most of the features are configured by the hacker(s) exploiting Antilam by using a special server editor program. There is also a special client program that provides a user-friendly graphical interface for connecting to the trojan program and for sending remote administration commands. The main trojan application is written in Delphi and compressed with the UPX compression utility. Antilam's size varies depending on the specific version.
Usually, the trojan copies itself to the root directory or to one of the Windows directory subdirectories, where it proceeds to establish the ability to be executed automatically when Windows is started.
The remote administration commands allow Antilam to perform the following actions on victim computers:
- shut down or remove the trojan program
- gather system and owner information
- load and eject CD-ROM contents
- "mess" with the Windows Desktop contents
- turn off or speed up the mouse movement
- show user-defined messages
- manage open windows
- restart or shut down the computer
- change the system date
- turn off the keyboard - manage files on victim computer disks
- gain full access to the system registry
- change screen resolution
- save any information that is typed by the victim
- print user-defined texts
- change Windows color schemes
- manage dial-up connections
- manage the remote clipboard
- chat with other hackers that are connected to the victim computer

Backdoor.BO.a

Description Backdoor.BO.a

This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui application. On a local line or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has," reads the advertising banner on a distribution Web-site.
The only feature classifying this utility as malicious Trojan software is the silent installation and execution. When this program is run, it installs itself into the system and then monitors it without any requests or messages. If you already have it installed on your computer, you cannot find this application in the task list. The Trojan also does not indicate its activity in any way.
The Trojan is distributed in a package of several programs and documentations. All programs in a package were written in C++ and compiled by Microsoft Visual C++ compiler. The date stamp on the EXE files that we have displays that all files in the package were compiled from the end of July through the first week of August 1998. All the programs in the package have Portable Executable formats and can be run under Win32 only.
The main executable in a package is the BOSERVE.EXE file that might be found with different names on an infected computer. This is the Trojan itself. It is the "server" part of the Trojan that might be summoned by clients from a remote computer.
The second file is the BOCONFIG.EXE utility that can configure the server as well as attach it to other executable files in the same style as viruses do. While attaching (infecting), the host file is moved down and the Trojan code is placed at the top of file. When "infected" files are run, the Trojan extracts the original file image and spawns it without any side effects.
There are two "client" parts of the Trojan (console and window), and they operate with the "server" from a remote computer. Two other executable files in a package are used by the Trojan while compressing/decompressing files on the "server".
When the Trojan is executed on the computer, it first of all detects its status: is it the original Trojan code or attached to some host file, i.e., modified by the BOCONFIG.EXE utility. In this case, the Trojan locates the customized options in the host file and reads them.
The Trojan then initializes the Windows sockets, creates the WINDLL.DLL file in the Windows system directory (this file is stored as a resource in the Trojan), then obtains several KERNEL32.DLL APIs addresses for future needs, searches for a Trojan process already run and terminates it (upgrades the Trojan process), copies itself to the Windows system directory and registers this copy in the system registry as the auto-run service:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
Creates a TCP/IP datagram socket, assigns a port number 31337 (by default) to this socket and opens this port for listening. The Trojan then runs standard Windows DispatchMessage loop, i.e., stays in Windows memory as a process with a hidden attribute (it has no active window and is not visible in task manager).
The main Trojan routine then listens for commands from the remote client. The commands travel in encrypted form and start with the "*!*QWTY?" (without " characters) ID-string.
Depending on the command, the Trojan is able to perform a set of actions:
obtain and send computer name, user name and system info: processor type, memory size, Windows OS version, installed drives and free space on them;
share selected drives;
list disk contents or search for a specific file;
send/receive files (read and write them), as well as delete, copy, rename and run them (including updating itself);
create/delete directories;
compress/decompress files;
log off current user;
halt the computer;
enumerate and send active processes;
enumerate and connect to network resources;
terminate selected process;
obtain and send cashed passwords (passwords that were used during current session), then look for the ScreenSaver password (decrypt and send them);
display message boxes;
access the system registry;
open and redirect other TCP/IP sockets;
support HTTP protocols and emulate the Web-server, so one may access the Trojan by Web browser;
play sound files;
hook, store and send keyboard input while the user is logging in (see below).
While installing into the system, the Trojan creates the WINDLL.DLL file (it keeps this file image in its resources). In case of need, the Trojan loads this DLL into the memory and initializes it, the DLL then hooks the keyboard and console (device console) input and stores the hooked data to the BOFILEMAPPINGKEY and BOFILEMAPPINGCON files that are then available for the main Trojan routine.
The Trojan can also expand its abilities by using plug-ins. They can be sent to the "server" and installed as the Trojan's plug-in. The features and main functions (including possible malicious ones) are at its author's discretion.

Home