Virus Database

I-Worm.Amus.a

Description I-Worm.Amus.a

Amus is an Internet worm that spreads in email attachments. It is a Windows PE exe file, written in Visual Basic and packed by Yoda. The compressed file size is about 50 KB.
Amus is activated only if users double click on the attachment.
Installation
After being launched, Amus:
Creates a unique identifier named 'Masum'
Attempts to activate ISpeechVoice.Speak and play the following soundtrack:
How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.
Amus then copies itself into the root directory of the C drive under the name masum.exe and into the Windows folder under the following names:
Adapazari.exe
Ankara.exe
Anti_Virus.exe
Cekirge.exe
KdzEregli.exe
Messenger.exe
Meydanbasi.exe
My_Pictures.exe
Pide.exe
Pire.exe
The worm registers the file KdzEregli.exe in the following Windows auto run system registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Microzoft_Ofiz"="%WINDIR%KdzEregli.exe"
Moreover, Amus creates the following system registry key:
[HKCUSOFTWAREMicrosoftMasumWho]
"Who"="OnEmLi_DeGiL"
Propagation by email
Amus uses MS Outlook to send copies of itself to all recipients listed in the address book.
Infected emails
Subject
Listen and Smile
Attachment name
Masum.exe
Body text
Hey. I beg your pardon. You must listen.
Amus does not spoof sender addresses and uses the real address of the infected machine.
Other
Amus is programmed to replace the home page URL in Internet Explorer on the 1, 6, 20 and 25 of each month with the following text:
Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet.
On the 2, 15 and 17 of each month Amus will attempt to delete all .ini firles in the Windows folder.
While on the 10 and 23 of each month, the worm will attempt to delete all .dll files in the Windows folder.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.ao

Description I-Worm.Bagle.ao

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.an
It is compressed using PEX; the compressed file is 174924 bytes in size, and the uncompressed file is 23556 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
The attached archive is 4558 bytes in size.
Attachment contents:
foto.html 1calc.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Other
File names, registry key values, remote administration functions and the routine for propagating via file-sharing networks are identical to those of I-Worm.Bagle.an
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

I-Worm.Bagle.as

Description I-Worm.Bagle.as

This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses harvested from the victim computer. It contains a backdoor function.
The worm itself is a PE EXE file, 18758 bytes or greater in size.
Installation
Once launched, the worm copies itself to the Windows system directory under a variety of names:
Example:
C:WINDOWSSYSTEM32awindo.exe
C:WINDOWSSYSTEM32awindo.exeopen
C:WINDOWSSYSTEM32awindo.exeopenopen
It then registers the appropriate file in the system registry:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
bawindo = %system%awindo.exe
This ensures that the worm will launch each time the system is rebooted.
Propagation via email
The worm searches for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files. It establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages:
Sender's address:
Random
Message header:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)
Attachment name:
Joke
Price
price
with one of the following extensions:
com
cpl
exe
scr
Propagation via P2P
The worm creates copies of itself in all subdirectories which contain the word 'Share' in their names. The copies are saved under names chosen from the following list:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens and tracks activity on TCP and UDP port 81 in order to receive commands.

Home