Virus Database

I-Worm.Bagle.b

Description I-Worm.Bagle.b
This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.
Characteristics of infected messages:
Message header:
ID xall thanks
with x being a string of random characters.
Message body:
Yours ID x
--
Thank
with x being a string of random characters.
Attachment:
The attachment has a random name, with a file size of 11KB.
Installation
Once launched, the worm copies itself to the Windows system directory under the name 'au.exe' and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"au.exe" = "%system%au.exe"
Also creates the following registry key:
[HKCUSOFTWAREWindows2000]
and saves its variables there.
The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder.
On launching, the worm launches the Sound Recorder utility (sndrec32.exe).
Propagation
The worm searches for files with the following extensions: wab, txt, htm, html and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location:
Other
The worm is programmed to stop propagating after 25th February 2004.

Check other viruses! Be aware! Use Antiviral Software

Andromeda

Description Andromeda

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM (except COMMAND.COM) and EXE files. In some cases they erase the disk sectors. The viruses contain the text strings:
"ANDROMEDA.758": [ANDROMEDA V1.1] BUDAPEST HUNGARY
"ANDROMEDA.800": ANDROMEDA*ICE*BUDAPEST
"ANDROMEDA.1024.a": AXE
"ANDROMEDA.1024.b": ANDROMEDA V3.0 BUDAPEST (Szegedi Imrének:
Ha mi nem lennénk, miböl élnél?)
"ANDROMEDA.1024.c": ANDROMEDA V3.0
"ANDROMEDA.1536.a": ROF OKI OOT CAN AND RBOGEMAND
"ANDROMEDA.1536.b": ROF OKI OOT CAN AND RBO GEM
ANDROMEDA V3.2 HUNGARY
"Plus.1337": ANDROMEDA/plus BUDAPEST 1991

ANDROMEDA.725,758
These viruses write themselves to the end of .COM files. They search for the files to infect them when any program is executed. While infecting, these viruses uses FCB Read/Write functions.
"ANDROMEDA.725" also hooks INT 9. Some time after installation it reboots the computer.
On October, 5th "ANDROMEDA.758" erases the FAT of the A: drive.
ANDROMEDA.800
Depending on the system date it hooks INT 1Ch. Some time after it displays random data and halts the PC.
ANDROMEDA.1024.a
It also hooks INT 09h. On execution of any file this virus searches for the first .EXE file of the current directory and writes itself to the end of the file. Depending on its internal counter this virus reboots the computer.
ANDROMEDA.1536.a,b
Sometimes they also hook INT 9h and some time after that reboot the computer. They contain the code of the disk erasing routine, but that routine never receives the control in "ANDROMEDA.1536.b".
ANDROMEDA.Plus
It also hooks INT 13h and while reading from disk boot sectors and the MBR of the hard drive puts the image of boot virus "Stoned" to the data buffer . As result: 1) Anti-virus scanners detect this virus on disks, but fail to disinfect it, because there is no "Stoned" virus in real. 2) The backup copies will contain infected disk images, and while restoring a disk from backup the virus will be placed to real disk sector. 3) While copying "sector-to-sector" (by DISKCOPY, for example) the virus will infect the destination disk.

Andromeda.1140

Description Andromeda.1140

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files (except COMMAND.COM) and writes itself to the beginning of the file. It contains the internal text strings:
-< The Andromeda Strain >- Version 1.00 By : Crypt Keeper
Mission Completeall Have fun with your virus(es)
ANDROM.SEC *.COM
RUNME.COM COMMAND.COM
SCAN.EXE CLEAN.EXE NAV.EXE NAV_._NO

The first and the second strings are displayed when the virus creates the file RUNME.COM and executes it, the last string contains the names of the files which are deleted by the virus when the virus is executed.

Home