Virus Database

Andreas.1107

Description Andreas.1107

This is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus also searches for COM and EXE files in the current directory and infects them.
On the 19th of any month the virus also hooks INT 9 (keyboard) and on each key decrypts and displays the text "Andreas".

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Cult.b

Description I-Worm.Cult.b
Cult is a worm virus spreading via the Internet as an attachment to infected emails as well as through the Kazaa file sharing network.
The worm itself is a Windows PE EXE file. Two worm varients have been found: They are both about 16KB in length when not compressed and about 9K when compressed by UPX.
Installing
While installing the worm copies itself to the Windows system directory under the name wuauqmr.exe and registers this file in the system registry auto-run keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
NvCpTDaemon = wuauqmr.exe

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
NvCpTDaemon = wuauqmr.exe

The worm also creates the file awqewqed.dll in the Windows system directory where it writes its MIME (encoded) image.
Spreading: Email
Infected messages contain the following field contents:
Subject: Hi, I sent you an eCard from BlueMountain.com

Body:

To view your eCard, open the attachment

If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd

Thanks for using BlueMountain.com.

Attachment: BlueMountaineCard.pif

The worm activates from infected emails only when a user clicks on the attached file. It then installs itself to the system and runs its spreading routines.
Cult.b sends out infected messages only to randomly generated addresses at the following domains:
chello.nl
chello.pl
otenet.gr
earthlink.net
hotmail.com
adelphia.net
planet.nl
wanadoo.nl
wanadoo.fr
sympatico.ca
Gmx.net
Gmx.de
Btinternet.com
Verizon.net
BellAtlantic.net
Email.com
hotmail.com
hotmail.com

Spreading: Kazaa
The worm creates a subdirectory under the name "jdfghtrg" in the Windows system directory and copies itself to this location using different names (see below). The jdfghtrg directory is then registered as a Kazaa file sharing resource.
Names used for the worm's copies are:
"zoneallarm_pro_crack.exe"
"AVP_Crack.exe"
"SMS_sender.exe"
"DivX 5.03 Codecs.exe"
"Download accelarator.exe"
"PaintShop Pro 7 Crack_By_Force.exe"
"ZoneAlarm Pro KeyGen.exe"
"porn.exe"
"hotgirls.exe"
"SM.exe"
"Battlefield1942_bloodpatch.exe"
"Unreal2_bloodpatch.exe"
"UT2003_bloodpatch.exe"
"AquaNox2 Crack.exe"
"NBA2003_crack.exe"
"FIFA2003 crack.exe"
"C&C Generals_crack.exe"
"UT2003_keygen.exe"
"UT2003_no cd (crack).exe"
"Age of Empires 2 crack.exe"
"Anno 1503_crack.exe"
"C&C Renegade_crack.exe"
"Diablo 2 Crack.exe"
"Gothic 2 licence.exe"
"GTA 3 Crack.exe"
"GTA 3 patch (no cd).exe"
"Hitman_2_no_cd_crack.exe"
"Mafia_crack.exe"
"Neverwinter_Nights_licence.exe"
"NHL 2003 crack.exe"
"WarCraft_3_crack.exe"
"Splinter_Cell_Crack.exe"
"Battlefield1942_keygen.exe"
"Winamp 3.8.exe"
"MediaPlayer Update.exe"
"UT2003_patch.exe"
"ACDSee 5.5.exe"
"DivX Video Bundle 6.5.exe"
"Global DiVX Player 3.0.exe"
"QuickTime_Pro_Crack.exe"
"KaZaA Lite (New).exe"
"iMesh 3.7b (beta).exe"
"iMesh 3.6.exe"
"KaZaA Hack 2.5.0.exe"
"DirectDVD 5.0.exe"
"Flash MX crack (trial).exe"
"Ad-aware 6.5.exe"
"WinZip 9.0b.exe"
"SmartFTP 2.0.0.exe"
"ICQ Lite (new).exe"
"ICQ Pro 2003b (new beta).exe"
"ICQ Pro 2003a.exe"
"AOL Instant Messenger.exe"
"Download Accelerator Plus 6.1.exe"
"Trillian 0.85 (free).exe"
"MSN Messenger 5.2.exe"
"Network Cable e ADSL Speed 2.0.5.exe"
"mIRC 6.40.exe"
"GetRight 5.0a.exe"
"Pop-Up Stopper 3.5.exe"
"Yahoo Messenger 6.0.exe"
"KaZaA Speedup 3.6.exe"
"Nero Burning ROM crack.exe"
"WindowBlinds 4.0.exe"
"Animated Screen 7.0b.exe"
"Living Waterfalls 1.3.exe"
"Matrix Screensaver 1.5.src"
"Popup Defender 6.5.exe"
"Space Invaders 1978.exe"
"SmartRipper v2.7.exe"
"TweakAll 3.8.exe"
"DVD Copy Plus v5.0.exe"
"Serials 2003 v.8.0 Full.exe"
"Zelda Classic 2.00.exe"
"Need 4 Speed crack.exe"
"Links 2003 Golf game (crack).exe"
"Netfast 1.8.exe"
"Guitar Chords Library 5.5.exe"
"DVD Region-Free 2.3.exe"
"Cool Edit Pro v2.55.exe"
"Coffee Cup Free HTML 7.0b.exe"
"Clone CD 5.0.0.3.exe"
"Clone CD 5.0.0.3 (crack).exe"
"Nimo CodecPack (new) 8.0.exe"
"Business Card Designer Plus 7.9.exe"
"Steinberg_WaveLab_5_crack.exe"
"Hot Babes XXX Screen Saver.exe"
"FreeRAM XP Pro 1.9.exe"
"IrfanView 4.5.exe"
"Audiograbber 2.05.exe"
"WinOnCD 4 PE_crack.exe"
"Final Fantasy VII XP Patch 1.5.exe"
"BabeFest 2003 ScreenSaver 1.5.exe"
"PalTalk 5.01b.exe"
"DirectX Buster (all versions).exe"
"DirectX InfoTool.exe"
"Unreal2_crack.exe"
"FlashGet 1.5.exe"
"Babylon 3.50b reg_crack.exe"
"mp3Trim PRO 2.5.exe"
"play station emulator crack.exe"
"play station emulator.exe"
"warcraft 3 serials.pif"
"warcraft 3 crack.exe 100 free essays sc"all
"aol password cracker.exe"
"aim password cracker aol cracker.exe"
"aim cracker.exe steal usernames.exe"
"how to hack.exe "
"divx pro.exe"
"how to use a shell.pif"
"Virtua Girl (Full).exe"
"worldbook.exe"
"GTA 3 Serial.exe"
"GTA 3 Crack.exe "
"gta3.exe "
"driver.exe "
"virtua girl - adriana.pif virtua girl -"...
"Crack McAfee 7.exe"
"Crack Norton 3000.exe"
"Borland KeyGens.exe"
"MP3 encoder_decoderV1.8.exe"
"HackNTTools.zip .exe"
"SophosCrackAllVersion.exe"
"BitDefender.KeyGen.exe"
"Nod32Crack.exe"
"PANDA.lusers.exe"
"PANDA.AVers.lusers.exe"

Payload
The Cult.b worm conducts a DoS attack (Denial of Service) aimed at two servers, they are:
chat.planet.nl
www.chat-planet.nl

I-Worm.Davinia

Description I-Worm.Davinia

This internet worm spreads via e-mail messages using MS Outlook and MS Word 2000.
The worm arrives on computer as an e-mail message in HTML format. The message subject and body are empty, but there is a message script in Spanish, which automatically is executed when the message is displayed. It opens a new browser window and downloads a page from the worm's Internet site.
The loaded page contains another script that opens a Microsoft Word document with macros placed on the same site. To avoid a macro-virus protection warning, the worm exploits the "Office 2000 UA Control" vulnerability, and allows the script to disable the Micorsoft Word 2000 macro-virus protection without a user's confirmation. (For more information about "Office 2000 UA Control" vulnerability see: http://www.microsoft.com/technet/security/bulletin/ms00-034.asp)
The macro in the Microsoft Word document automatically executes upon document opening. It gains access to Microsoft Outlook, extracts addresses from the Outlook address book, and sends e-mail messages to them. Sent messages are the same as aforementioned, thus, the worm itself (macro in the document) is always placed at the same area - on the Internet site. Sent messages contain links only to this site, and in case the worm's site becomes inaccessible, the worm can no longer spread.
The worm has a dangerous payload routine: after sending messages, the macro creates a system directory file in Windows named "littledavinia.vbs", and modifies the system registry to execute this file upon each Windows startup. The script in this file destroys all data on all disks - it overwrites all files with an HTML page. Upon activation, the page displays the following message:

Microsoft has released an update eliminating the "Office 2000 UA Control" vulnerability. We strongly recommend you visit http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm and install this update.

Home