Virus Database

I-Worm.Fintas

Description I-Worm.Fintas

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.
The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.
Installing
While installing, the worm copies itself:
to the Windows directory, Windows system directory and C: drive root - with the `.EXE name to the Windows TEMP directory - with a name that depends on the worm version:
FF8.EXE
FunnyFlash.EXE

The C:`.EXE file is then registered in the system registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices 723 = c:`.exe
and in the Windows SYSTEM.INI file, [boot] section, in the "shell" auto-run command.
Spreading
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Subject, Body and Attachment name are different in the known worm versions:
Subject/Body/Attach:
Microsoft Shockwave Flash Movie
Check "Family.exe" then you could see Microsoft family's Shockwave Flash Movie
FamilyMovie.exe

CoolGame From %UserName%
the cool game about Final Fantasy VIII :)
FF8.EXE

FunnyFlashMovie From %UserName%
the flash movie,check it !:)
FunnyFlash.EXE

where %UserName% is the Name of the affected machine.
Fintas.a
The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm's copy to the J: network drive (if it exists).
The worm then creates and spawns two VBS files: "c:passwd.vbs" and "c:leo.vbs", and then displays the following message:

The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:
Hi! I am LEO
The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the "leotam888@china.com" e-mail with a "mypasswd" subject.
Payload - other versions
On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.
Then the worm displays the message:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Duksten.b

Description I-Worm.Duksten.b

Duksten.b (aka Protex) is a worm virus spreading via the Internet in ZIP files attached to infected emails. The worm itself is a Windows PE EXE file about 10KB in length, encrypted. In infected messages the attached file is a ZIP archive with the name PROTECT.ZIP where the worm copy ProTecT.exe is stored.
The infected messages have an empty body and the following fields:
From:
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
Attach: PROTECT.ZIP

The worm activates from infected emails only if a user clicks on the attached file. Doing this extracts the EXE file from the ZIP archive, and runs it. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows system directory with the PrTecTor.exe name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
XRF = %SystemDir%PrTecTor.exe

The worm then displays a "fake" message:
PrTecTor

Su Pc < -_NO_- > fue infectado por el W32/Bugbear

ProTecTor sera operativo durante 30dias pasado ese tiempo debera ReGistrar su copia siguiendo las instrucciones
att::staff

[ OK ]

"Regedit" stealth
This worm also copies itself to the Windows directory under the name regedit.exe and makes a backup copy of the original REGEDIT.EXE file under the name m_regedit.exe.
When a user starts REGEDIT the worm copy gets control, deletes the worm's "Run" key from system registry, and then executes the original REGEDIT from the "m_regedit.exe" file. When REGEDIT exits, the worm re-installs itself (including in the registry "Run" key).
As a result the worm hides its regitry "Run" key when the REGEDIT utility is run.
Spreading
To get victim email addresses the worm opens the WAB (Windows Address Book) database and reads emails from there. To send infected messages the worm uses a direct connection to the default SMTP server.
There are several bugs in the email spreading routines, therefore the worm has problems spreading itself to "true" SMTP servers that follow email and transfer standards (RFC standards).
While sending infected emails the worm also creates the following files in the Windows system directory:
m_WAB.XRF - this file contains victim email(s)
m_Base64.xrf - worm's ZIP file in MIME form
m_prgrm.zip - worm's ZIP file

While storing itself to the ZIP archive the worm uses a "stored" compression method (i.e. "do not compress" method).
Payload
Starting from January 1st, 2003 the worm reboots victim machines.
Removal
Run the "m_regedit.exe" file from the Windows directory (this is the original REGEDIT utility).
Delete the worm's registry "Run" key (see above).
Reboot the machine and remove the following files from the Windows system directory:
PrTecTor.exe
m_WAB.XRF
m_Base64.xrf
m_prgrm.zip

Next, go to the Windows directory, delete the "regedit.exe" file and then rename the "m_regedit.exe" to "regedit.exe" (doing this restores the original REGEDIT utility).

I-Worm.Dumaru.a

Description I-Worm.Dumaru.a

This family of email worms includes I-Worm.Dumaru.b, I-Worm.Dumaru.c. It spreads via the Internet in the form of a file attached to infected messages. It installs a variety of Trojan components on the infected computer.
The worm is only activated if the user launches the infected file by double-clicking on the attachment. Upon launch of the infected file the worm installs itself in the system and launches the replication procedure.
The worm is a Windows PE EXE file compressed using UPX. The size of the compressed file is approximately 9KB and the size of the decompressed file approximately 32KB.
Installation
The worm copies itself under the name load32.exe and vxdmgr32.exe to the Windows system directory and registers one file in the Auto-run key of the system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
load32 = %windir%\%system%load32.exe
The worm creates a copy of itself in the Windows directory with the name dllreg.exe and installs to this location the file winrdv.exe (approximately 8KB), a backdoor controlled via IRC. Kaspersky Anti-Virus detects this component as Backdoor.Dumador.c (Backdoor.Small.d). This will be used to connect to the author of the worm via IRC in order to receive commands.

Sending messages
The worm searches for *.TBB, *.ABD, *DBX, *.HTML, *.HTM, *.WAB files in all directories on all accessible local disks. It detects lines which are email addresses in these files, and sends infected messages to these addresses.
The worm also creates the file winload.log in the Windows directory and writes the email addresses which infected messages are being sent to to this file.

Infected messages have the Send address as: security@microsoft.com

Message subject:

Use this patch immediately !
Message body:
Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!
Attachment:
patch.exe
In order to send messages, the worm uses a direct connection to the SMTP server, giving a return address of admin@duma.gov.ru. This means that mail scanner notification that the worm has been detected in messages will be sent to this address.

Infection of files
The worm infects executable files in the root directories of all accessible local disks from C: to Z:. To do this it uses NTFS alternate data streams, a method which was first employed by the Stream virus in 2000.

Home