I-Worm.Fog
Description I-Worm.Fog
This is Win32 email worm with backdoor and DDoS abilities. The worm itself is Win32 application (PE EXE file) about 180K of size (in UPX packed form) and about 500K being unpacked. The worm is written in Delphi.
The worm sends itself to other machines being attached to emails with AntiVirus.exe name. While spreading it uses MAPI to connect to emailer. The worm also reports to an IRC channel (worm host channel?) about infected machine and then activates backdoor and DDoS routines that allow to remote master to manipulate with infected machine and perform DoS attack on remote machines.
When infected file starts (being activated by user from infected message or from any other source) the worm displays the message box:
Explorer
i reb00t
[OK]
When OK button is pressed, the worm copies itself into Windows system directory with "AntiVirus.exe" and into Windows Fonts directory with "Times New Roman.exe" names. The latter file is then registered in system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices Windows = %windows font directory%Timer New Roman.exe
To spread the worm looks in Inbox for all messages that have at least one attached file, and replies with infected message that has:
Subject: I think that you sent me a virus.. heres a cleaner
Body: I took my computer to the shop and they ran this, and told me to send it to you.. hope this helps.
Attach: AntiVirus.exe
The worm also deletes NETSTAT.EXE and REGEDIT.EXE in Windows directory. The worm as well looks for anti-virus and some other processes that are active at the moment and tries to terminate them:
APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE
IAMSERV.EXE IAMAPP.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE
VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE NAVAPW32.EXE
NAVW32.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE AVP32.EXE
AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE
ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE
TDS2-98.EXE TDS2-NT.EXE ZONEALARM.EXE MINILOG.EXE SAFEWEB.EXE
IFACE.EXE ANTS.EXE ANTI-TROJAN.EXE BLACKICE.EXE BLACKD.EXE
VSMON.EXE WRCTRL.EXE WRADMIN.EXE CLEANER3.EXE CLEANER.EXE
TCA.EXE MOOLIVE.EXE SPHINX.EXE
The worm contains the "copyright" text strings:
[Fist Of God]
[Remote DDoS]
[v2.7b]
Check other viruses! Be aware! Use Antiviral Software
Metall.557
Description Metall.557
It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files except COMMAND.COM, then writes itself to the end of the file. The virus infects correctly only COM files that begin with JMP/CALL near instruction, other files stays corrupted after infection.
Depending on the system time the virus mixes letters on the screen, it also contains the text string:
METALLI
Metallica.1103
Description Metallica.1103
This is a harmless memory resident parasitic virus. It hooks INT 21h and infects COM and EXE files. On April, 22th (Vladimir Lenin birthday) it jokes with the screen - it writes random data to the video ports, and the screen starts to twitch and grimace. Under the Windows the screen do not twitch but the vertical and horizontal borders of active window are changed every second.
This infector contains the texts:
Metallica Ver 2.2 AIDSCOMMAND
|