Virus Database

I-Worm.Bagle.aa

Description I-Worm.Bagle.aa

This worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.
It is packed using UPX and PEX. The unpacked file is approximately 66KB in size.
The file contains a ZIP archive which contains the complete source code of the worm.
Installation
Once launched, the worm copies itself to the Windows system directory as loader_name.exe, and registers this file in the system registry, to ensure the file is run every time the system is started:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"reg_key" = "%system%loader_name.exe"
The worm also creates 2 additional files in the Windows system registry:
loader_name.exeopen
loader_name.exeopenopen
Propagation
The worm searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files.
It uses its own SMTP server to send messages.
Infected messages:
Message header (chosen from the list below):
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message body (chosen from the list below)
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment name (chosen from the list below):
Information
text_document
Updates
Readme
Document
Info
MoreInfo
Message
Attachment extension (chosen from the list below):
exe
scr
com
zip
vbs
hta
cpl
If the attached file has the extension .hta, the size of the attached file will be approximately 208KB. If the attached file has the extension .vbs then the size of the attached file will be approximately 211KB.
The worm is capable of sending itself in a password protected zip archive. In such cases, the password will be shown in the message body, either in text format or as an image.
It does not send infected messages to addresses which contain any of the lines of text listed below:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Propagation via P2P networks
The worm searches disks for folders where the name contains the word 'shar' and copies itself several times to all such folders found. Copies are made under the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
Remote administration
The worm opens and tracks activity on port 1234.
The backdoor function makes it possible for the source code of the worm to be remotely mass mailed at any time.
Other
The worm is programmed to cease activity and delete itself after 7th July 2004.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Fintas

Description I-Worm.Fintas

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.
The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.
Installing
While installing, the worm copies itself:
to the Windows directory, Windows system directory and C: drive root - with the `.EXE name to the Windows TEMP directory - with a name that depends on the worm version:
FF8.EXE
FunnyFlash.EXE

The C:`.EXE file is then registered in the system registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices 723 = c:`.exe
and in the Windows SYSTEM.INI file, [boot] section, in the "shell" auto-run command.
Spreading
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Subject, Body and Attachment name are different in the known worm versions:
Subject/Body/Attach:
Microsoft Shockwave Flash Movie
Check "Family.exe" then you could see Microsoft family's Shockwave Flash Movie
FamilyMovie.exe

CoolGame From %UserName%
the cool game about Final Fantasy VIII :)
FF8.EXE

FunnyFlashMovie From %UserName%
the flash movie,check it !:)
FunnyFlash.EXE

where %UserName% is the Name of the affected machine.
Fintas.a
The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm's copy to the J: network drive (if it exists).
The worm then creates and spawns two VBS files: "c:passwd.vbs" and "c:leo.vbs", and then displays the following message:

The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:
Hi! I am LEO
The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the "leotam888@china.com" e-mail with a "mypasswd" subject.
Payload - other versions
On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.
Then the worm displays the message:

I-Worm.FireBurn

Description I-Worm.FireBurn

This is an Internet worm that spreads as a VBS file attached to e-mail messages. To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
When the worm file is activated (by double clicking on the attached file in infected messages, or being accepted as an IRC download), it installs itself into the system by copying its code to the Windows directory with the RUNDLL32.VBS name and registering it in the auto-run section in the Windows registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
MSrundll32 = rundll32.vbs
As a result, the worm then activates each time Windows starts up.
E-mail messages
While mailing its copies, the worm connects to MS Outlook, gains access to the address book and sends its copies to all addresses listed in there. Depending on system configuration, the message has a different Subject and Body. Under the German Windows version, the message appears as follows:
Subject: Moin, alles klar?
Body: Hi, wie geht's dir?
Guck dir mal das Photo im Anhang an, ist echt geil ;)
bye, bis dann..
Under non-German Windows:
Subject: Hi, how are you?
Body: Hi, look at that nice Pic attached !
Watching it is a must ;)
cu laterall
The attached file name is randomly selected from eight variants:
Ultra-Hardcore-Bondage.JPG.vbs
Christina__NUDE!!!.JPG.vbs
CuteJany__BigTits!.GIF.vbs
MyGirlfriend__NUDE!.JPG.vbs
Aguiliera__NUDE!!.JPG.vbs
!Jany__Gets-fucked!.GIF.vbs
cute__EmmaPeel!!!.JPG.vbs
Julie17__xxx.GIF.vbs
A copy of worm with the same (randomly selected) name is also created in the Windows directory (exactly this copy is attached to infected messages).
IRC infection
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). The worm looks for a C:MIRC directory as well as for an MIRC directory in "Program Files". If mIRC is installed, the worm drops a new SCRIPT.INI file to there. This file contains a set of instructions that sends the worm file to everybody who enters an infected channel.
The mIRC script also:
temporarily moves the worm's RUNDLL32.VBS file from Windows to the Windows system directory with one of the random names listed above (upon disconnecting from the IRC channel, it moves the VBS file back to the Windows directory with the same RUNDLL32.VBS name)
sends the message "Burn, Burn, Burn :)" to a "virus" conference;
hides virus-like messages in the current conference (ignores messages that contain any of the words: "script", "virus", "worm")
upon text "die lamer" in chat, the script quits the channel with the message "I'll commit suicide! R.I.P"
upon text "fire", displays the text "Burn Burn Burn :)"
Payload routine
The payload routine is activated on June 20th. It displays the following message:
FireburN
I'm proud to say that you are infected by FireburN !
and disables the keyboard and mouse by modifying the following two system-registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up = "rundll32 mouse,disable"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up2 = "rundll32 keyboard,disable"
Misc
The worm also changes the "Registered Owner" field in "MyComputer/Properties", the new value is "FireburN". This is done by modifying the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RegisteredOwner = FireburN
The worm code also contains the "copyright" text:
VBS.FIREBURN.A -- mIRC/Outlook worm coded by fireburn
Polymorphic: Changing the actual filename on each start...
greets: to all members of 'UnCreativeLabs'

Home