Virus Database

I-Worm.Beglur.b

Description I-Worm.Beglur.b
This is a worm which spreads via the Internet and local networks as an attachment to infected emails. The worm itself is a Windows PE EXE file of approximately 20KB. The file is compressed using UPX and Yoda, and the uncompressed size is approximately 35KB. It is written in Visual C++ The worm has the following 'copyright' text string:
W32.Narita
Infected messages will contain text in the message fields which is randomly selected from the following:
From:
Microsoft support@microsoft.com
Terrorist George W. Bush president@whitehouse.gov
Terrorist Ariel Sharon pm_eng@pmo.gov.il
careless ch@care.net
media
Rumsfeld rumsfeld@pentagon.net
Maybank security@maybank2u.com
condemn fool@first.gov
Bin Laden osama@fbi.gov
BushScare president@white.gov


Subject:
Hi!
Bad news!
Free porn!
Report!
Hack me!
Bussiness
News!
Warning!
hello
Buy 1 Free 2
Need help!
plz!
Re:
great!
you are!
Your resume
Update
Spend Money
Too easy
oh wow
nice job!
High security
Command lineCreate own disk
keep the File
Help Section
Unknown Header
Possible Word
My Webs
Protokol
Compress Sample
Sensitive Name
Deliver
System Error
microsoft
installer
personal info
sample music
internet proxy


Message body:
check your attachment now!
(empty)
Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
Alex Pravoks
For the truth of love! I have suprise to you! Please baby forgive me!
Ronn Elika
Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
Orlian Jieg
Hello friend,
I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!

A message you have received has been converte to an attachment. I sorry cause that problem.

The name of the attached file is also randomly selected, and will have one of the following extensions: .scr .pif .exe .com .bat
The worm uses the 'IFRAME' security breach to launch itself from infected messages.
Installation
The worm copies itself to the Windows system directory under a random name and registers the file in the SYSTEM.INI auto-run key in the [boot] section in the 'shell' key.
Distribution via email
To get victim email addresses the worm scans files with the following extensions: .TXT .MHT .HTM .HTML .EML .JSE .ASP .DBX .MBX .MMF .TBB .NCH .ODS .VCF .WAB
To send infected messages the worm uses a built-in SMTP engine.
Distribution via networks
The worm copies itself to shared network drives and to all logical drives under a random name, or named 'setup' or 'installer', with one of the following extensions: .scr .pif .exe .com .bat
Other
The worm contains a backdoor routine which will allow a hacker to create, delete, rename files and directories, and execute commands on affected machines.
The worm also attempts to terminate several anti-virus and firewall programs.

Check other viruses! Be aware! Use Antiviral Software

Natas.4774

Description Natas.4774

This is a dangerous memory resident multipartite polymorphic virus. It hooks INT 13h, 21h and writes itself into MBR of hard drive, boot sectors of floppy disks and at the end of COM and EXE files that are accessed. It does not infect the files that are opened by PKZIP/PKUNZIP, LHA and ARJ archivators. Depending on its internal counters the virus formats disk sectors. It contains the internal text strings:
BACK MODEM

Time has come to pay (c)1994 NEVER-1

Natas.4988

Description Natas.4988

This is a dangerous memory resident multipartite polymorphic virus. It hooks INT 13h, 21h and writes itself into MBR of hard drive, boot sectors of floppy disks and at the end of COM and EXE files that are accessed. It does not infect the files that are opened by PKZIP/PKUNZIP, LHA and ARJ archivators. Depending on its internal counters the virus formats disk sectors. It contains the internal text strings:
BACK MODEM

Yes I know my enemies
They're the teatchers who taught me to fight me
Compromise, conformity, assimilation, submission
Ignorance, hypocrisy, brutality, the elite
All of whitch are American dreams
(c) 1994 by Never-1(Belgium Most Hated)
Sandrine B.

Home