Virus Database

I-Worm.Cult

Description I-Worm.Cult

This is a worm virus spreading via the Internet being attached to infected emails and through the Kazaa file sharing network. The worm also has a backdoor component.
The worm itself is a Windows PE EXE file about 13Kb of length (compressed by FSG).
Installing
While installing the worm copies itself to the Windows system directory with the "winupdate.exe" name and registers that file in the system registry auto-run keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Microsoft auto update = winupdate.exe

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Microsoft auto update = winupdate.exe

The worm also creates a system registry key and keeps its internal data in there:
HKLMSOFTWAREMicrosoftWDXDriver
stv1=
stv2=
stv3=
stv4=
xdvd=

The worm then displays fake error message:
Application Error

The instruction at |0x776456de| referenced memory at |0x623525dg3|. The memory
could not be |read|
Click on OK to terminate the application

Spreading: EMail
The infected messages have following fields:
Subject:
Hi, I sent you an eCard from BlueMountain.com

Message body:
To view your eCard, open the attachment
<
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd

Thanks for using BlueMountain.com.

Attached file name:

BlueMountaineCard.pif

The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.
Spreading: Kazaa
The worm creates subdirectory with the "Kazaa" name in Windows system directory and copies itself to there with the names:
"SMS_sender.exe"
"DivX 5.03 Codecs.exe"
"Download accelarator.exe"
"PaintShop Pro 7 Crack_By_Force.exe"
"ZoneAlarm Pro KeyGen.exe"

The "Kazaa" directory is then registered as Kazaa file sharing resource.
The Backdoor Routine
The backdoor routine connects to an IRC channel, listens to commands from its "master" and performs several actions by "master"'s request:
- reports system information
- downloads a file from an URL
- runs files
- e.t.c.

Check other viruses! Be aware! Use Antiviral Software

Malaga.2385

Description Malaga.2385

This is a harmless memory resident multipartite virus. It hooks INT 8, 13h, 21h and writes itself to the end of COM and EXE files except COMMAND.COM. The virus also infects boot sector on floppy disks as well as on C: drive. The virus writes the original boot sector and the rest of virus code to the last sectors of the drive.
The virus decrypts and displays the texts:
HB=ETA=ASESINOS
PENA DE MUERTE AL TERRORISMOKI
VIVA ESPA
It also contains the text:
*.EXE *.COM COMMAND.COM

Malatinec family

Description Malatinec family

These are dangerous parasitic encrypted viruses. They write themselves to the end of COM and EXE files.
"Malatinec.1554" is a nonmemory resident virus. It searches for COM and EXE files and infects them. "Malatinec.2367" is a memory resident, it hooks INT 21h. On Load&Execute DOS call it searches for executable files and affects them. "Malatinec.3737" is also memory resident virus, it infects files that are executed.
While infecting the viruses rename the file to:
"Malatinec.1554": FileName.M03
"Malatinec.2367": FileName.M04

then infect it and renames back to original name. The virus does not infect the files:
"Malatinec.1554":
AVG AVP CLEAN GUARD IV NAV NOD SCAN TB VIRSTOP WEB HIEW

"Malatinec.2367":
ADINF AVG AVP CLEAN DRWEB F- FINDVIRU FV GUARD IBMAV IV
NAV NOD SCAN TB TOOLKIT VIRSTOP VIVERIFY WEB HIEW

"Malatinec.3737"
COMMAND AFD CHKDSK DOS4G HIEW KRNL SCANDISK WIN ADINF AIDS ANTI ASTA
AUTHOR AVAST AVG AVP AVSCAN BAIT CERT CLEAN CPAV CRC DRWEB F- FINDVIR FV86
FV386 GOAT GUARD IBMAV ICE IV MKS MSAV NAV NOD PAS QCV QMS SCAN TB TKUTIL
TOOLKIT V- VAC VDS VIR VIVERIFY VPCSCAN WEB

The viruses delete the files:
"Malatinec.1554":
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS IVB.NTZ SMARTCHK.CPS

"Malatinec.2367":
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS CHKLIST.TAV FINGERP.VVF
FSIZES.QCV IVB.NTZ NAV_._NO SMARTCHK.CPS _CHK.CHK

"Malatinec.3737"
ADINF-?-all. ANTI-VIR.DAT AVG.GRS AVP.CRC CHKLIST.CPS CHKLIST.MS
CHKLIST.TAV CRCHECK.TXT FINGERP.VVF FSIZES.QCV ICE_?.CRC IM.PRM IVB.NTZ
MSAV.CHK NAV_._NO NODEX_?.DAT SMARTCHK.CPS _CHK.CHK

The viruses also contain the text strings:
"Malatinec.1554":
Virus Malatinec v0.3
Note: this is evolutionary (beta) version only. Be Happy!
PATH=*.* COMEXEM03

"Malatinec.2367":
Virus Malatinec v.0..W_Nreated by Aladiah
Greet: all my friends in Slovakia; G722,E10,H723,H118 & all H4??
(sch.yr.95/96) & of coz i send a big fuck 2 big boxer V.M.
Note: this is last evolutionary ( ) version. Don't Worry! Watch out

"Malatinec.3737"
[Malatinec] by Aladiah (C) 4/97
+ ¥ m , w+ + y u &pount; k¡ g ? ?!

"Malatinec.3737" depending on the system time also displays one of messages:
Ked sa budes dobre ucit, dcerenka, stanes sa manekynkou.
Don't dread! I'm friendly ghost :)
Critical Error - Use (MC) Hammer.
REALITY.SYS corrupted - reboot Universe ? [Y,n]
I'm INside. (what's about your heuristic?)
Memory failed. Use paper.
Attention. High voltage on keyboard!
Prosím Vás, Zastavte HZDS !

Home