Virus Database

I-Worm.Bagle.as

Description I-Worm.Bagle.as

This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses harvested from the victim computer. It contains a backdoor function.
The worm itself is a PE EXE file, 18758 bytes or greater in size.
Installation
Once launched, the worm copies itself to the Windows system directory under a variety of names:
Example:
C:WINDOWSSYSTEM32awindo.exe
C:WINDOWSSYSTEM32awindo.exeopen
C:WINDOWSSYSTEM32awindo.exeopenopen
It then registers the appropriate file in the system registry:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
bawindo = %system%awindo.exe
This ensures that the worm will launch each time the system is rebooted.
Propagation via email
The worm searches for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files. It establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages:
Sender's address:
Random
Message header:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)
Attachment name:
Joke
Price
price
with one of the following extensions:
com
cpl
exe
scr
Propagation via P2P
The worm creates copies of itself in all subdirectories which contain the word 'Share' in their names. The copies are saved under names chosen from the following list:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens and tracks activity on TCP and UDP port 81 in order to receive commands.

Check other viruses! Be aware! Use Antiviral Software

BachKhoa.4426

Description BachKhoa.4426

This is a very dangerous memory resident encrypted parasitic virus. It uses anti-debugging tricks in its code. When an infected file is executed, the virus hooks INT 21h, stays memory resident and then writes itself to the end of COM and EXE files that are accessed.
The virus deletes the anti-virus and other data files: CHKLIST.MS, CHKLIST.CPS, FILESIGN.SAV, FILE_ID.DIZ. On November 25 it also erases the hard drive sectors. It contains the text strings:
Ha Noi University of technology
Your PC was infected by BACH KHOA virus version 2.5

Backdoor.Afcore.q

Description Backdoor.Afcore.q
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.
Infected message body text contains the following:
If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.
The backdoor registers itself into the system registry auto run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun (assigned name) =
rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.
The backdoor program has several options that it can use:
DebugBreakpoint
DebugInit
Init
InitService
SpawnedInit
Uninstall

To remotely uninstall itself from victim machines the backdoor uses the following command:
rundll32 ÄÉÓË:\%windir%system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.

Home