Virus Database

Foo.956

Description Foo.956

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in current and in parent directories, then in C:WINDOWS directory and infects not more than three files found. While infecting the virus writes itself to the end of the file. The virus pays attention to the internal self-checking Windows32 ability and fix the necessary date ("ENUNS" field at the end of Windows COM files) while infecting them.
The virus uses anti-debugging tricks. On 29th of any month it displays the message and halts the computer:
--FOO VIRUS--
WE'RE ALL STARS NOW, IN THE DOPESHOW
MADE IN THE UK, WE EXIST..

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Naver

Description I-Worm.Naver

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 50K of length. The worm is written in Visual Basic language.
When the worm is run it displays the dialog box:
Windows Secirity Upgrade

This is an upgrade for Microsoft Windows 9x/Me/NT/2000
to solve some protocol TCP/IP problems and for SSL
(Secure Sockets Layer) secure system exploration.

Do you want to install the upgrade now?

[ OK ] [ Cancel ]
On "OK" the worm displays the message:
Upgrade
Upgrade completed, thank you
Then, as well as on "Cancel" click, the worm installs itself to the system. It copies itself to Windows directory with WINSYS.EXE name and to Windows system directory with the WINSYS.EXE name. The latter file is then registered in Registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun WLWin = %windir%WINSYS.EXE
The worm also creates additional registry key that indacates that the system is already infected:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion WLKey = 1
The worm also creates NAVER.TXT file in Windows system directory and writes to there a text that is then used in infected messages body (see below).
The worm then connects to MS Outlook address book, get email addresses from there and sends itself attached to emails:
Subject: Re: Windows Upgrade
Body:
Use this patch!!, goodbye

>
> From: "Micosoft upgrades"
> To: "Windows users"
> Subject: Upgrade
> Date: Mon, 11 Jun 2001 11:02:34 +0200
>
> Microsoft programs bugs that are costantly found, are immediately often solved by little
> patches, that are regulary pubblished on the official site, but despite this only few
> users use this patches. Because of this a lot of users consider Microsoft systems
> unsecure, you can solve all the problems at base, upgrading costantly the system,
> because of this Microsoftî decided to exploit FAQ mail to reach the majority of users.
> By FAQ mail you have recived it, that contain the first upgrade, naver.exe file
> (Upgrade 11 Jun 2001), an upgrade that is used for increase security of Windows system
> protocol TCP/IP problems and for SSL (Secure Sockets Layer) secure system exploration.
> For a correct operation copy naver.exe in c: and run it
>
> Foward this mail at your friends with the relative attachment or if you don't want to
> receive any other upgrades send an empty mail to deletelist@microsoft.com with subject
> "Delete from database".
>
> We thank in advance all the users that will agree the project.
>
> Answerable Microsoftî Upgrades John Milton
> http://www.microsoft.com/security/
>

Attachment: NAVER.EXE
In some cases (depending on current date?) the worm removes its registry keys, deletes its files and displays the message:
VIRUS !!!!!!!!!!!
Virus Eclisse has infected
Don't try to close the counter before zero otherwise it will be restarted,
the system will be released only when the countdown counts zero.

Now you are able to use your computer, this Virus automatically delete
itself, byez. ( Translation by M_O_R_B_O )

I-Worm.Navidad

Description I-Worm.Navidad

This is an Internet worm that spreads by means of e-mail using MAPI Outlook. The worm itself is a Windows EXE file about 32K in length. It is attached to e-mails with the NAVIDAD.EXE name.
When the worm is activated, it copies itself to the Windows system directory with the WINSVRC.VXD name and registers itself in the system. While registering, the worm uses a false name, WINSVRC.EXE, instead of WINSVRC.VXD ("EXE" instead "VXD"), so the worm's "VXD" copy is not functional at this time.
While registering in the system, the worm modifies two registry keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winsvrc.exe
and
HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winsvrc.exe %1 %*
where %SystemDir% is the Windows system directory name (for example, C:WINDOWSSYSTEM).
The worm also creates an empty key:
HKEY_CURRENT_USERSoftwareNavidad
Because of the "EXE-VXD" bug, the affected system becomes non-functional; not one EXE file can be run because of an invalid "exefileshellopencommand" key, and Windows displays a standard error message:
Windows cannot find WINSVRC.VXD
This application is needed for opening files of the "Application" type.
The REGEDIT.EXE utility (to recover the registry) cannot be executed too. On affected machines, the REGEDIT.EXE should be renamed to REGEDIT.COM (with the help of Exlorer, for example), and then run. The HKEY_CLASSES_ROOTexefileshellopencommand then should be set to:
"%1" %*
When run, the worm also displays the message box:

The worm also creates a "blue-eye" icon in the system tray.

When clicking on the icon, the worm displays the message:

and then one more message:

MORE WORM VARIANTS
There are more "Navidad" versions known. They are just patched original version: the code (program) is the same, but text strings are replaced with new ones:
"Emanuel" version
attached file name is EMANUEL.EXE
it copies itself to Windows system directory with WINTASK.EXE name
registers itself in the registry by keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%wintask.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%wintask.exe %1 %*
creates an empty key
HKEY_CURRENT_USERSoftwareEmanuel
When run it displays message box:

"XMas" version
attached file name is XXXXMas.exe
it copies itself to Windows system directory with WINFILE.VXD name
registers itself in the registry by keys:

SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winfile.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winfile.exe %1 %*
creates an empty key HKEY_CURRENT_USERSoftwareXxxxmas
When run it displays message box:

Home