Virus Database

AMD.3948

Description AMD.3948

This is a benign memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus also stores filenames on opening and creating, and then infects them on closing. Depending on their internal counters the virus manifests itself by using Novell NetWare protocols (in case the Novell NetWare is installed on the net): it sends messages to all users of the network.
This virus sends the message "Windows 95 Must Die !!!" to the network and displays the text:
XXX XX XX XXXXX XXXXX XXX XXXX XXXX X X XXXX XXXX
X X X X X X X X X X X X X X X X X X X
X X X XX X X X XXX XXX X X XXXX XXX X X XXX XXXX
XXXXXXX X X X X X X X XX X X X X XX
X X X X XXXXX X XXX X XX XXXX X XXXX X XX
X X XXX XX X XXXX XXX X X XXX
X X X X X X X X X X X X X
X X X X X X X X X X X X XXX
X X X X X X X X X X X X X X X
X X XXX X XX XXXX XXX X X XXX
XX XX X X XXX XXXXX XXXXX XXX XXXX
X X X X X X X X X X X X
X XX X X X XXX X X X X XXX
X X X X X X X X X X
X X XXXX XXX X XXXXX XXX XXXX

Check other viruses! Be aware! Use Antiviral Software

Exploit.Linux.SSHD22

Description Exploit.Linux.SSHD22

Under the SSHD22 name KAV detects a couple of tools widely used on the Internet by hackers to compromise systems vulnerable to the security flaw known as the "SSH CRC-32 compensation attack".
Initially reported in October 2001, (for details you may check the CERT advisory 2001-35, at: http://www.cert.org/advisories/CA-2001-35.html this form of attack is still one of the most prevalent forms of exploits used on the Internet. Given the high level of compromise from this exploit, it is recommended to update every vulnerable version (for a version list please check the CERT advisory) up to the latest release.
Technical details:
Multiple versions of this tool are known, but most of them share the same base code that performs the attack. An interesting detail, the specific offsets and addresses needed to exploit the various SSH versions are stored in an external file to which additional data can be added. A special tool which can be used to extract the specific exploit offsets is also included in the distribution of the attack kit, making it relatively easy to increase the target base of the exploit.
Some versions of the tool are encrypted with passwords, possibly to prevent misuse. When run they require the user to first enter a password (for instance, the so-called "x2" variant).
After providing a correct password the tool presents the user with a list of options, of which the most important one is the vulnerable version to try - the exploitation tool is unable to determine for itself the version of the vulnerable SSH daemon running on the remote machine.
After providing the address of the remote machine and the version to exploit, the tool connects to the SSH daemon and initiates a session login attempt. During the attack it's common for the SSH daemon to crash or stall, including messages of the following Form:
"/var/log/messages":
sshd[14211]: Disconnecting: Corrupted check bytes on input.
sshd[14230]: Disconnecting: crc32 compensation attack: network attack detected
As a successful attack with this tool is usually followed with the installation of a rootkit or backdoor it's important to perform a full scan of the system after a compromise has been detected, and if available, to check the integrity of the system binaries which might have been replaced with trojanized versions.

Exploit.WinNT.DebPloit

Description Exploit.WinNT.DebPloit

The DebPloit exlopit uses a vulnerability in the security system to assign permissions under WinNT systems (this includes Win2000) - it does not effect WinXP. It uses any process to exploit the permissions of any other process.
By controlling permissions allocation, Debploit has the ability to, for example, promote all users to the status of system/admin - that is if the targeted process is running under the LocalSystem, Administrator account.
As a result any process being run with User rights can let DebPloit into the Administration process, and restart itself with Administrator rights, for example.
This virus works on Microsoft Windows NT 4.0 and Windows 2000 with ServicePaks installed prior to Mar-12-2002 (It doesn't work if ServicePacks were installed after Mar-12-2002).

Home