Virus Database

I-Worm.Galil

Description I-Worm.Galil

This is a worm virus spreading via the Internet being attached to infected emails. The worm consists of several components. All of them are Windows PE EXE files, written in Visual Basic.
Main file: "iLLeGaL.exe", about 81K of size
Spreading component: "Mplayer.exe", about 14K (compressed by UPX, decompressed - 37K)
SMTP control: "SMTP.ocx", about 26K (compressed by UPX, decompressed - 90K)

Installing
When the main worm file is run it installs itself and its components to the system. While installing the worm copies its main file to the Windows system directory with the name "iLLegGaL.exe". Other worm components are installed to the same directory. The "Mplayer.exe" component is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
iLLeGaL = %SystemDir%Mplayer.exe

The worm then displays a fake Flash animation and the message:
Sorry !
Looooooooool , thanx fo da time u spent thinkin ov me

Spreading
The worm reads victim emails from the MS Outlook address book and searches for email addresses in .HTM and .HTML files. To send infected messages the worm uses direct connection to SMTP server.
The infected messages have:
Subject: Fwd: Crazy illegal sex !
Body: is randomly selected from a file on C: drive
Attach: "iLLeGal.exe" or "illegalSex.zip"

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Payload
The worm creates new key (counter) in system registry:
HKLMiLLeGal

This counter is being increased on each worm start. When the counter reaches '5' the worm deletes all files on the D: E: F: G: drives and then displays the message:
ZaCker
No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mari

Description I-Worm.Mari

This is an Internet worm that spreading via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. To spread, the worm connects to MS Outlook, obtains the e-mail addresses from the address book, then sends messages to these addresses. The infected messages contain the following:
Subject: Hi!
Body: check this out!!!
Attach: system32.exe
The worm also installs itself to the system. It copies itself to Windows and to WinNT directory with SYSTEM32.EXE name. The worm copies itself to the directory on the current drive, and fails to spread further if it is run not on the C: drive (in the instance when the temporary directory where the worm copy is saved from an infected message is not on the C: drive). The worm also fails to infect the system in case Windows is installed in a directory with another name.
The worm registers itself in the auto-run key in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SYSTEM32 = C:WindowsSYSTEM32.exe
or
SYSTEM32 = C:WinntSYSTEM32.exe
The 'a' version of the worm also modifies the WIN.INI file with auto-run keys under Win9x/ME:
[windows]
load="C:WINDOWSSYSTEM32.exe
open="C:WINDOWSSYSTEM32.exe"

[winnt]
load="C:WinntSYSTEM32.exe
open="C:WINDOWSSYSTEM32.exe"
The worm then stays in the Windows memory as a hidden (service) process and creates the "marijuana" icon in-tray:

Upon a mouse click on the icon, the worm displays the message:
IMPORTANT: PLEASE READ
I think i speak for every pot smoker in North America when i say: *Legalize Marijuana*allI mean if people with AIDS, Cancer and other deaises can use it then why cant the rest of us (pot smokers) use it?, I dont think that's very fair (Do you?). If it's legal to grow and use in places like: Australia (for personal use) then why not in North America? If doctors are useing it as a treatment for illness then it must not be *THAT* harmful (So why can't other people use it?). I really do think the federal goverment should consider legalization of marijuana. Well that's really all i have to say on the matter, but i do hope somebody, somewhere listens to what i have to say and does not just regard this as just another *virus* because it's more then that, it's a message, a message for freedom, the freedom to smoke up and have the chose to do so *WITHOUT* fear of punishment from the law and the goverment. Thank you for your time.
At 4:20 and 16:20, the worm displays the message box:

The worm also modifies the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersion
RegisteredOrganization = Stoner's Pot Palace.
RegisteredOwner = Im A Pot Head!

HKCUSoftwareMicrosoftInternet ExplorerMain
HKCUSoftwareMicrosoftInternet ExplorerMain
Start Page = http://my.marijuana.com
Window Title = Marijuana Explorer (LEGALIZE IT!!!)

I-Worm.Masana

Description I-Worm.Masana

I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 107Kb in size - ASPack compresses it, the decompressed size is about 138Kb, written in Delphi.
Infected messages contain the following:

Another variant is the same subject and body as above but in Russian.

The worm activates from infected email only when a user clicks on the attached file. The worm then installs itself into the system, runs its spreading routine and payload.
The worm has bugs in its code; as a result some of its routines don't work.
Installing
While installing the worm copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry (under Windows NT) or in the SYSTEM.INI (under Windows 9x) auto-run keys:
SYSTEM.INI
[boot]
shell=Explorer.exe msys32.exe -dontrunold

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Run as Administrator

Under Windows NT systems the worm gains Admin privileges. To do this the worm uses a breach in Windows NT security (so-called DepPloit exploit).
The Masana worm creates two additional files on disk that manage the exploit:

ERunAsX.exe
ERunAsX.dll

The worm then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
Spreading
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:

looks for *.HTM* files and extracts email-like strings
by using Windows MAPI functions it reads all unread messages from the Inbox and answers them.
Each time Masana is run it also sends infected message to the masyana@nm.ru address. This message looks as follows:
Subject: Masyanya!
Body: gygygy!
Attach: Masyanya.exe

Payload
On Mondays the worm starts a DoS (Denial of Service) attack on kavkaz.org.
Other
This worm also:

disables the MS Outlook Express 5.0 MAPISendMail warning.
adds to the system the user named masyanechkaa with Admin privileges (under Windows NT) I-Worm.Masana also contains the text string:

I-Worm.Masyanya v1.0 8) Just a hello-world wormall
The worm also creates an additional registry key that indicates the system is already infected:

HKCUEnvironmentID = 1

Home