I-Worm.Chet.a
Description I-Worm.Chet.a
This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.
The infected messages have following fields:
From: main@world.com
To: You
Subject: All people!!
Attach: 11september.exe
Body:
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ICQ1 = %SystemDir%synchost1.exe
The original file is then deleted.
Spreading
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.
To send infected messages the worm uses direct connection to SMTP server "mail.ru".
Other
The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:
connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru
They have following subjects:
message1: Otchet from user
message2: Otchet2 from user
The message body contains victim emails list and worm's EXE file full name.
Check other viruses! Be aware! Use Antiviral Software
PolyEngine.DOS.DSME.10.poly
Description PolyEngine.DOS.DSME.10.poly
DSME (Dark Slayer's Mutating Engine) is a polymorphic generator. It creates a decryption routine, and encrypts the virus body, then the virus saves this part of code in the file being infected.
This generator contains the string:
DSME v1.0
PolyEngine.DOS.TPE
Description PolyEngine.DOS.TPE
This is a benign memory resident stealth polymorphic parasitic TPE-based virus. It hooks INT 21h and writes itself to the end of accessed COM and EXE files. It contains the text strings:
This is KELA-17 version virus.
KELA-17 very nice virus . Ha Ha HaHa
KELA - 17. Copyright (c) 1994 by KELA. All Rights Reserved.
and the text strings in Russian. On Friday the 13th, it runs itself utilizing a video effect.
|