Virus Database

Flowers.1688

Description Flowers.1688

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed. Before infecting a file the virus also affects the C:COMMAND.COM file. On 1st of any month at 3:30am the virus erases the CMOS and disk sectors. The virus contains the text strings:
GOLDEN FLOWERS!
VEGERATABLES!
PLEASE REMEMBER239
C:COMMAND.COM
SAE7

Check other viruses! Be aware! Use Antiviral Software

Ignorance

Description Ignorance

It is a harmless memory resident multipartite encrypted virus. While loading from an infected floppy disk or MBR it hooks INT 13h, waits for DOS loading and then it hooks INT 21h. While executing an infected file the virus infects the MBR of the hard drive, then hooks INT 13h and 21h. By hooking INT 13h it realizes stealth algorithm on reading the infected MBR, it also uses INT 13h for floppy boot sectors infection. By hooking INT 21h it writes itself to the end of COM, EXE and SYS files that are accessed. The virus contains the text strings:
Ignorance is Strength
Freedom is Slavery
War is Peace
COMEXEBINOVLSYSSCCLVSF-
[1984] bY [TäLöN< >NûK_] '93! THiS iZ iNFeCTi0N #00000032!
Greetz RS/NuKE!

where "#00000032" is virus generation number, that value may be not the same in different infected files/sectors. "COMEXESYSBINOVL" is the string of the file name extensions which are "infectable". "SCCLVSF-" is the string of the anti-virus software names (two bytes per name: SCAN.EXE, CLEAN.EXE, e.t.c.). While executing these files the virus disables some of its semi-stealth algorithm branches.

IIS-Worm.BlueCode

Description IIS-Worm.BlueCode

This is an Internet worm that targets Web sites by infecting Internet Information Servers (ISS). The worm perpetrates this method of spreading from one Web site to another by sending and executing its EXE file.
The name of the worm's files are consistant - SVCHOST.EXE and HTTPEXT.DLL. The EXE file is a Win32 application (PE EXE file) about 29K in length, and it is written in Microsoft C++. There also was a compressed variant discovered, which is about 14K in size. The DLL file is about 47K in size, and it is written in Microsoft C++.
Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000 installations in the SYSTEM32 subfolder.
The worm infects only machines installed with the IIS package and Web site contents. The worm application, upon being run on a such machine, locates and infects remote Web sites (remote machines with installed IIS package): it enters them and, by using a Web Directory Traversal exploit, sends its copy there, and spawns that copy. As a result, the worm infects all vlunerable Web servers that can be accessed from current a infected machine, and other infected servers spread the worm copy further, and so on.
The worm has a payload routine that, from 10:00 am till 11:00 am global time, performs a DoS attack (Deny of Service) on the http://www.nsfocus.com Web server.
Installing
The worm creates its copies (EXE and DLL) in the root of C: drive - C:SVCHOST.EXE and C:HTTPEXT.DLL. This EXE file is then registered in the Registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Domain Manager = C:svchost.exe
The worm then creates and swapns a C:D.VBS script file, then looks for the INETINFO.EXE application and terminates it if it is active. The VBS script program also searches for Indexing Service, Indexing Query and printer mapping and removes them.
As a result, the worm disables security breaches that can be used (or were used) by other worms to infect the machine and/or hackers to break through the Web-security protections.
Spreading
To spread further, the worm runs 100 threads that scan randomly selected IP addresses and attacks them.
In 50% of the cases, the attacked machines are in the same network, and the attacked IP addresses are "aa.bb.??.??", where "aa.bb" is part of the infected machine IP address, and "??" are random.
In the other 50% of the cases, the attacked addresses are very random.
To attack a victim machine, the worm uses the Web Directory Traversal exploit three times:
it tries to determine the IIS directory on a remote machine,
then sends a request to the remote machine to download the DLL component of the virus (HTTPEXT.DLL file) from the infected one,
the last request is to copy that DLL file to the C: root directory.
To upload a DLL file to a victim machine, the worm uses a "tftp" command, and activates the temporary TFTP server on an infected (current) machine to process a "get data" command from the victim (remote) machine.
When a DLL file is uploaded to the victim machine, it is activated by a trick. So, the worm copy starts on a remote server, then it drops and executes the EXE component that then spreads the virus futhrer.

Home