Virus Database

I-Worm.Bagle.an

Description I-Worm.Bagle.an

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.al
It is compressed using PEX; the compressed file is 18436 bytes in size, and the uncompressed file is 24068 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
Attachment contents:
fotofoto.html fotofotofoto1.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Remote administration
The worm opens port 82 and listens for commands. This makes it possible for the author of the worm to download and launch files on the victim machine.
Other
File names, registry key values and the routines for propagating via file-sharing networks are identical to those of I-Worm.Bagle.al
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

Check other viruses! Be aware! Use Antiviral Software

Antiscan.508

Description Antiscan.508

This is a dangerous, non-memory resident virus. It searches for *.G?? files and deletes them. It creates a C:SCAN.COM file, and writes itself into this file. Upon infection, it displays the following: "Shouldn't oughta be looking at nasty shit".

AntiSkola.2111

Description AntiSkola.2111

It is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed. While infecting the COMMAND.COM file the virus patches its code at fixed offset and writes JMP-Virus instruction to there. That does work only for some COMMAND.COM version(s) and corrupts COMMAND.COM from other DOSes (including Win95).
On keystrokes (INT 9) depending on the system timer the virus changes the data in keyboard buffer. Depending on the system timer the virus stops executing the TURBO.EXE and TPX.EXE files. Also depending on the system time the virus decrypts and displays the message (see below), plays a tune and halts the computer:
Dobry den,predstavuje se Vam virus AntiSkola.Tento virus byl napsan
pro demonstraci idealniho preziti viru ve skolnim prostredi.Doufam,
ze se Vam bude libit.
Moje podekovani patri zejmena :
Firme Borland International Inc. za TurboAssembler a TurboDebugger
Skole za to,ze mi umoznila nerusene programovat
Firme Microsoft za "operacni system" MS-DOS,ktery byl koncipovan
primo pro viry.Na prikladu WINDOWS 95 je jasne videt,ze se stale
teto filozofie nevzavaji.Mozna by si meli neco precist o
protected modu a preemtivnim multitaskingu.
At zije SOSE v Brne na Obranske !!

Home