Virus Database

HackTool.Win32.CrackSearch.a

Description HackTool.Win32.CrackSearch.a
This program is written in Visual Basic, and is packed using ASPack. The file is approximately 26KB in size. It is designed to find hacker patches, programs which generate serial codes, and other utilities. It is a skin which can be used to search for key words via the search function on http:all

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Music

Description I-Worm.Music

This is an Internet virus-worm written in VisualBasic. It is a three-component Windows EXE file that spreads via e-mail. The worm has an entertaining payload to hide its main activity: it displays a Christmas scene and plays a tune. The infected message's Subject and Text are:
Subject: Testing to send file
Text: Hi, just testing email using Merry Christmas music file, not bad music.
or:
Text: Hi, just testing email using Merry Christmas music file, you'll like it.
The worm has three components: Dropper, Sender and WinSock library.
1. The worm dropper is sent attached to e-mails. When it is being run, it copies itself to the Windows system directory with SYSMCM.EXE and registers in the auto-run registry key, as well as plays a tune and displays pictures to hide itself.
This worm component doesn't send any messages. To spread further, the worm connects to Internet sites and obtains the rest of its components from there, and copies to the Windows directory with the names: SYSDRV.EXE and SYSTMP.DLL.
2. Second worm component (Sender), is obtained from an Internet site and copied to the Windows system directory. It then obtains e-mail addresses from the Windows Address Book and sends infected messages (with a Dropper attached) there.
3. WinSock library is a standard MS Visual Studio DLL library that is used to access Windows sockets.
The worm is able to upgrade its components from an Internet site: it downloads three files from there (that are supposed to be its plugins), detects their versions, and if these versions are above those currently used, the worm replaces its components with new ones. So the worm is able to change its functionality depending on its author needs.
The worm creates a new registry key to run itself upon each Windows startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SysDrv = %SystemDir%sysmcm.exe
It also creates one more key where it stores its internal data:
HKLMSoftwareMicrosoftMCM
FirstRun
LastRun
RunMCM
Status
SMTP
Version = 001111

I-Worm.Myba

Description I-Worm.Myba

This is an Internet-worm spreading via e-mail, sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The worm itself is a Win32 application written in VisualBasic. The worm code seems to be based on the "I-Worm.LoveLetter" VBS worm (the worm's routines and their names look very similar to "Loveletter" ones), and its seems that this worm was created by adapting "Loveletter" VBS source to VisualBasic language.
When run (if a user clicks on an attached infected file), the worm sends its copies by e-mail, installs itself into the system and performs destructive actions.
The worm sends itself as e-mail messages with an attached EXE file, that is the worm itself.

The message appears a follows:
The Subject: My baby pic !!!
Message body: Its my animated baby picture !!
Attached file name: mybabypic.exe
Upon being activated by a user (by double clicking on an attached file), the worm opens MS Outlook, gains access to the Address Book, obtains all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
The worm also installs itself into the system. It creates its copies in the Windows system directory with the following names:
WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE
and registers in the Windows auto-run section in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunmybabypic = %WinSystem%mybabypic.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWINKernel32 = %WinSystem%WINKernel32.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices = %WinSystem%Win32DLL.exe
where %WinSystem% is the Windows system directory. As a result, the worm is re-activated each time Windows is booted up.
The worm also creates the following registry key:
HKCUSoftwareBugger
Default = HACK[2K]
mailed = %number%
where %number% is a number from 0 to 3 and depends on the process the worm is currently performing or has finished: installing, spreading, activating its payload routine.
The payload routine is rather large. Depending on the system date and time, the worm:
switches on/off NumLock, CapLock and ScrollLock keys
sends to keyboard buffer the following message:

.IM_BESIDES_YOU_
connects the http://www.youvebeenhack.com site and sends one of the texts to there:

FROM BUGGER
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER
The worm also corrupts and/or affects other files. It scans subdirectory trees on all available drives, lists all files there and depending on filename extension, performs one of the following actions:
VBS, VBE: the worm destroys these files' contents.
JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new file with an original filename plus the ".EXE" extension, and copies its body to there, and then deletes the original file; i.e., the worm overwrites these files with its code and renames them with ann EXE extension. For example, "TEST.CPP" becomes "TEST.EXE".
JPG, JPEG: the worm does the same as above, but adds an ".EXE" extension to the full file name (does not rename to ".EXE"). For example, "PIC1.JPG" becomes "PIC1.JPG.EXE".
MP2, MP3, M3U: the worm creates a new file with an ".EXE" extension (for "SONG.MP2", the worm creates the "SONG.MP2.EXE" file), writes its code to there and sets the file attribute "hidden" for the original file.

Home