Virus Database

I-Worm.Alcaul.h

Description I-Worm.Alcaul.h

This is a virus-worm that spreads via the Internet attached to infected e-mails.
The worm itself is a Windows PE EXE file 5632 bytes in length, and it is written in Visual Basic 6. It is packed by a UPX utility. After unpacking, it is about 16 Kb in length.
Infected messages contain:
Subject: cute worm
Body: the attached file is a compressed picture of a wormall click it..
Attachment: worm.com

The worm activates from infected e-mail only when a user clicks on an attached file. The worm does not install itself to the system and is not activated anymore (except in cases when a user clicks on an attached e-mail again).
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in Outlook address book.
Installing
While installing, the worm copies itself to disk C: with the name: C:WORM.COM.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.as

Description I-Worm.Bagle.as

This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses harvested from the victim computer. It contains a backdoor function.
The worm itself is a PE EXE file, 18758 bytes or greater in size.
Installation
Once launched, the worm copies itself to the Windows system directory under a variety of names:
Example:
C:WINDOWSSYSTEM32awindo.exe
C:WINDOWSSYSTEM32awindo.exeopen
C:WINDOWSSYSTEM32awindo.exeopenopen
It then registers the appropriate file in the system registry:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
bawindo = %system%awindo.exe
This ensures that the worm will launch each time the system is rebooted.
Propagation via email
The worm searches for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files. It establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages:
Sender's address:
Random
Message header:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)
Attachment name:
Joke
Price
price
with one of the following extensions:
com
cpl
exe
scr
Propagation via P2P
The worm creates copies of itself in all subdirectories which contain the word 'Share' in their names. The copies are saved under names chosen from the following list:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens and tracks activity on TCP and UDP port 81 in order to receive commands.

I-Worm.Bagle.b

Description I-Worm.Bagle.b
This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.
Characteristics of infected messages:
Message header:
ID xall thanks
with x being a string of random characters.
Message body:
Yours ID x
--
Thank
with x being a string of random characters.
Attachment:
The attachment has a random name, with a file size of 11KB.
Installation
Once launched, the worm copies itself to the Windows system directory under the name 'au.exe' and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"au.exe" = "%system%au.exe"
Also creates the following registry key:
[HKCUSOFTWAREWindows2000]
and saves its variables there.
The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder.
On launching, the worm launches the Sound Recorder utility (sndrec32.exe).
Propagation
The worm searches for files with the following extensions: wab, txt, htm, html and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location:
Other
The worm is programmed to stop propagating after 25th February 2004.

Home