Virus Database

I-Worm.3DStars

Description I-Worm.3DStars

This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in VisualBasic. The worm has many bugs, and in many cases (in all cases in any environment?), doesn't work properly: the worm file is not attached to outgoing messages, and the message text appears different from what the worm intends.
To spread from an affected computer, the worm uses MS Outlook, obtains addresses from the MS Outlook Address Book as well as from the Windows Address Book, and sends messages there. The worm also sends an infected message to vb.master@angelfire.com each time the spreading routine is run.
The message Subject and Body should appear as follows (these do not because of a bug in worm code). The [%CurrentDate%] here is the current date.
Subject:
Message text:

Hey, now we can talk with this.. :-)
Hello
I wrote a new messenger, so that we can talk with it.
Install the self extractable zip attached

My movie clips..
Hiii
I got a webcam, and I captured few movie clips of me.
Extract the attached self extractable, to see them.
A lil naughty stuff..
Hey..
I got few great, erotic movie clips included in the self extractable

I downloaded these MP3s yesterday..
Howdy..
Hey, they r really great.. Extract the selfextractable zip to see them..

Just a little naughty stuff from me..
Hehehe..
See the cake I prepared for you.. bye 4 now buddy..

Virus Warning..
Hey, take care..
Forward this mail to everyone you know. Today, [%CurrentDate%] FBI
announced that a serious virus is spreading. It is a file with a .VBS
extension, much like Love Bug. See the zip for it

A Business Issue..
Sir,
My company is interested in the opportunities of creating a new
partnership with you. The presentation is attached, kindly see it and reply soon.

Legal Notice..
Sir/Madam
We are forced by our client to forward a legal notice to you dated
[%CurrentDate%]. Kindly see the attached details, and reply as soon as possible

Greeting Card 4 You..
Greeeeetings..
Hope you are doing fine. See the ECard attached 4 you..
When the worm's EXE file is being run from the attachment, it copies itself to the Windows and Windows system directories with SysTray.exe and SysCheck.exe as names, and registers these files in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SystemTray = %WindowsDir%SysTray.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SystemCheck = %SystemDir%SysCheck.exe
note: the original SYSTRAY.EXE is located in the Windows system directory, not in the Windows directory as the worm does.
To hide its activity, the worm displays the following message:
Microsoft Windows
The application %ApplicationName% caused a general protection fault in
module Kernel.exe, and it will be terminated. Press OK to continue
[ OK ]
where %ApplicationName% is the worm's file name.
On the 4th of any month, upon being executed before 5 a.m., the worm overwrites the C:AUTOEXEC.BAT file with a Trojan that erases all files in the "C:My Documents" and *.DLL files in the C:Windows directories. The Trojan code also displays the following messages:
Please wait while setup update files. This may take a few minutes..
Now loading Windows..
The worm also have backdoor component that "opens" affected computer for a remote hacker. The backdoor routine allows:
report drives in system, directories and files on drives
read,write,copy,delete a file
change, create, remove a directory
read,write registry keys
send email to a specified address
execute a file
forse Windows to exit
The worm code contains the text "3DStars server", thus giving the worm name its name.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.NewLove

Description I-Worm.NewLove

This is an extremely dangerous variant of the "LoveLetter" Internet worm. Just as with its forerunner "LoveLetter", the "NewLove" worm is written in Visual Basic Script language and spreads as a VBS file with a random name. The worm installs itself into the system, gains access to the MS Outlook address book, and sends itself to all addresses listed in there.
The infected message subject begins with "FW:" and is completed with a random text up to 30 characters in length and random extension from the following list:
Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt

This also serves as the name of the attached file, for example:
FW: VPAVQXCUUNGUFLTJSLNAUTQZXJUG.Bmp
FW: QKUPLSXOOIBPAGNENGIVPN.Mp3
FW: TNXSOVARRLESDJQHQJLYSQNWV.Mdb
FW: HBLHCJOFFZS.Mdb
FW: MGQMHOTKKEXLWCJAJ.Doc
FW: SMXSNUZRRKDRCJQGPIKXRQNWU.Mdb
FW: CWGCXE.Mp3
The message body is empty, and there is a VBS file attached with the same file name that is in the subject line, but with an added ".VBS" extension. Depending on the system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as shown above (with no "FW:").
When the attached file is activated (by double clicking, for example), the worm sends its copies to all addresses from the MS Outlook address base.
The worm then destroys the computer. It scans all local and mapped disk drives and replaces all files with its copy, and adds the ".VBS" extension to file names (for example COMMAND.COM becomes COMMAND.COM.VBS). As a result, all files on all accessable drives are totally destroyed.
Because of this, the worm is able to spread just once - it sends its copy to all availabe addresses and then destroys the computer.
The worm is able to spread only in the instance that MS Outlook is installed in the system. The worm payload routine is activated independent of the e-mail system installed on the computer. In the case that there is another e-mail system installed, the worm does not send infected e-mails, instead destroying all files on the computer.
The worm is polymorphic. Upon each infection, it inserts random comments into its code. The worm does this each time it spreads, and as a result, its size grows depending on its generation (about 60% of the current size), for example:
1st generation: 110Kb
2st generation: 248Kb
3st generation: 403Kb
4st generation: 585Kb
5st generation: 805Kb
6st generation: 1040Kb
e.t.c.
The "pure" worm code is just about 5Kb in size.
Protection for this type of worms has already been released by Kaspersky Lab. The "AVP Script Checker" protects the system against the new worm and prevents infection. We strongly recommend you download "AVP Script Checker" from our Kasperky Lab Web sites.

I-Worm.Newpic.a

Description I-Worm.Newpic.a

This is a virus-worm that spreads via the Internet using MSN Messenger (instant messaging program). The worm itself is a Windows EXE file about 50Kb in length written in Visual Basic.
When an infected file is run, the worm dislays the following fake message:
Error
Cannot open file. May be corupted. Replace the file with a new
one and try again.
Then it registers itself in the auto-run registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun MSN Messenger = %filename%
where %filename% is the worm's full file name.
The worm then waits for incoming messages and replies with the following text:
hey, want me to send my new pic?
i took it yesterday
The the worm waits for an answer. If a user answers with one of following words:
sure
yes
yea
guess
ok
send
maybe
go
the worm sends its EXE file to a victim and then sends one of the following randomly selected texts:
alright, here ya go
i hope you like it
there
pweese? :)
ok cool
The worm also creates the "C:Messenger1324Brain1Read Me.txt" file and writes a text there:
I come in piece. My name is Jerry.
The purpose of me is to spread. I'm not annoying, nor dangerous.
How to remove me:
1) Click Start, select Run. The Run dialog box pops up.
2) Type: msconfig The System Configuration Utility pops up.
3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.
4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.
You may freely delete the files or the 'C:Messenger1324' directory.

Home