Virus Database

I-Worm.Dumaru.j

Description I-Worm.Dumaru.j
This worm is part of the Dumaru family, which spreads via the Internet as files attached to infected messages. The worm includes a backdoor function and a Trojan program which enables it to steal information. The worm is a Windows PE EXE file, compressed using FSG. The compressed file is approximately 17KB in size, and the decompressed file approximately 43 KB in size.
Installation
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register as a key to enable autorun:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
load32 = %windir%\%system%l32x.exe
On computers running under Windows 95,98 and ME, the worm changes a section in the system.ini file
[boot]
shell=explorer.exe %System%vxd32v.exe
Mailing of messages
The worm searches all directories on accessible local disks for files with the extensions: .htm, .wab, .html, .dbx, .tbb, .abd, highlights lines which are email addresses and then sends infected messages to these address. To do this, the worm creates a Zip archive (zip.tmp) in the Windows temporary directory, which will then be added to messages as an attachment.
The worm also creates a file called winload.log in the Windows directory, and writes all email addresses found, to which infected messages have been sent, to this file. Infected messages have the following characteristics:

Sender's address:
Elene F*****SUICIDE@HOTMAIL.COM
Message header:
Important information for you. Read it immediately !
Message body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
In order to send messages, the worm uses its own SMTP engine, giving the return address as address@dyandex.ru. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
Other
The worm opens port 10000 to receive commands for administration of the infected computer. The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Kaspersky Labs anti-virus databases have already been updated with protection against I-Worm.Dumaru.j.

Check other viruses! Be aware! Use Antiviral Software

Andryushka.3536

Description Andryushka.3536

These are very dangerous memory-resident polymorphic viruses. They affect COM- and EXE-files (excluding COMMAND.COM) whenever an infected file is started (search in directories). "Andryushka" also infect files from its TSR-copy (when the files are opened, run, renamed and so on). After getting infection from virus "Andryushka.3536" EXE-files are changed to COM-format (see the "VACSINA" viruses). The virus penetrates into the middle of a file. The part of the infected file where the virus has been written to is encrypted and placed at the end of the infected file.
The virus creates counters in the Boot-sectors of disks and depending on the counters values may corrupt some sectors on the disk C:. On doing this the virus plays a tune and displays the following text:
+-----------------------+
ƒ Hello!!! ƒ
ƒ My name is Andryushka ƒ
ƒ I come from Perm,USSR ƒ
+-----------------------+

The virus also contains the text: "insufficient memory". "Andryushka" works with interrupt handlers fairly well: it saves a part of the INT 25h handler in its own body and writes its code (call to INT 21h) into the emptied place. When INT 25h is called its handler is restored.

Andy.998

Description Andy.998

These are dangerous memory resident parasitic viruses. They hook INT 21h, 28h and infect COM files that are executed. The viruses have bugs and halt the system if there is no UMB memory. While infecting they write themselves to the end of the file. The viruses do not infect files immediately when they are executed, but delay it up to INT 28h call (DOS internal idle). So they infect files in the "background".
"Andy.998" also hooks INT 13h and on 15th of any month writes data to disk instead of reading. This definitely corrupts data on the disk. "Andy.1016.b" hooks INT 13h as well, but it disables writing to disks on any day, that corrupts data that is copied or modified. "Andy.1016.a" hooks INT 1Ch and depending on their internal counters changes color of the screen and disables keyboard.
The viruses contain the texts:
"Andy.998": ANDY-3
"Andy.1016.a": ANDY-1
"Andy.1016.b": ANDY-2

Home