Virus Database

I-Worm.Gismor

Description I-Worm.Gismor

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 8Kb of length written in Assembler.
The infected messages have following fields:
Mail From: < Gismo@gmx.de >
From: MP3 Deluxe
To: My best friends
Subject: Phenomenal
Body: body is empty
Attach: MP3Player.exe

To run from infected message the worm uses IFrame security breach. The worm then installs itself to the system and runs spreading routine.
While installing the worm copies itself to Windows system directory with the SSMS.EXE name and registers this file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
To send infected messages the worm uses direct connection to default SMTP server, or to "mail.gmx.net" server.
To get victims' email addresses the worm uses Windows MAPI functions and reads emails from email boxes.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Unis.a

Description I-Worm.Unis.a

This is Internet worm spreading with emails (as attached file) and through IRC channels. The worm is also able to affect RAR archives, it appends its code to RAR archives contents.
The worm functionality is based on so-called "plugins". The main worm component (Win32 EXE file about 12K of length) that is sent with emails and to IRC channels is just a "loader" that connects to a Web page and gets more worm components (plugins) from there, and then executes them. So, the worm functionality is completely dependent on plugins. There are five plugins known at the moment.
There Web page address depends on worm versions. There are addresses known at the moment:
http://hyperlink.cz/benny/viruses/
http://shadowvx.com/benny/viruses/
All known worm components (main EXE file and plugins) are compressed with TeLoc Win32 PE EXE files compressor.
The worm code has many bugs and infected files halt the system in most of cases and fails to send its copies to Inet. So, the worm has very few chances to be discovered in-the-wild.
Main Component
When main worm EXE file is executed (from attached email file, for example), it stays in the system as a service (hidden application), copies itself to Windows system directory with the MSVBVM60.EXE name (do not mix it up with MSVBVM60.DLL Windows VisualBasic library) and registers this copy in Windows auto-run registry key:
SOFTWAREMicrosoftWindowsCurrentVersionRun
The worm then gets connection to "http://hyperlink.cz/benny/viruses" Web page (somewhere in Czech republic) or to another one (depending on worm version), gets its plugins from there (the plugins are listed in special file at that site) and stores them in Windows system directory with names:
MSVBVM6A.DLL
MSVBVM6B.DLL
MSVBVM6C.DLL
MSVBVM6D.DLL
e.t.c.
These plugins are encrypted by Windows RSA crypto library, so the worm first decrypts them and then activates.
The worm then "sleeps" for some time (randomly selected - up to 5 minutes), and repeats all that again.
The main worm component contains the text:
[I-Worm.Universe] by Benny/29A
"Payload" Plugins
This plugins depending on system timer calls one of three procedures:
1. Affects MS Explorer: it sets default start, local, "what's new" and search pages to "http://www.therainforestsite.com"
2. Gets the UNIVERSE.JPG file from worm's Web site and registers it as Windows desktop WallPaper.

3. Messes up the Desktop - randomly moves the blocks of it.
"Feedback" Plugin
This plugins reports about infected machine: it sends the report to email address which are different in different plugin's version:
benny_29a@hushmail.com
auto129742@hushmail.com
The report contains the Inet name of infected machine and the date&time of infection.
"Mail" Plugin
This plugins scans all HTML files in Internet cache directory, gets Inet addresses from there and sends messages to these addresses. The messages have the fields:
From: "Microsoft Support" [support@microsoft.com]
Reply-To: "Peter Szor" [pszor@symantec.com]
To: "Mikko Hypponen" [mikko.hypponen@f-secure.com]
Subject: Virus Alert
Attached file name: uniclean.zip
Text:

Dear user
F-Secure, Symantec and Microsoft, top leaders in IT technologies have discovered one very dangerous Internet worm called I-Worm.Universe in the wild. Author of this viral program is well known hacker from Europe under "Benny" nickname from 29A virus writting group.
Universe is fast-spreading worm that already destroyed computer systems in FBI and Microsoft. It is heavilly encrypted and very complex. It consists from many independed parts called "modules", which are very variable - every second hour is producted one new module, that completelly changes behaviour of worm, including anti-detection tricks.
You should check your system by our anti-virus attached to this mail. All reports please send to our mail address: universe@microsoft.com and/or universe@f-secure.com
Have a nice day,
F-Secure, Symantec and Microsoft, top leaders in IT technologies.
The attached file actually is worm main component (loader), not ZIP archive. If a victim user tries to open that file from email message a ZIP archiver will start and it will report about broken archive or wrong archive format. So the worm code will not be activated as a result under standard Windows installation.
"Mirc" Plugin
This plugin just drops to C:MIRC32 directory (if exists) new SCRIPT.INI file that contains the text:
;Default mIRC32 script
;** DO NOT EDIT **
and the instruction that sends worm "loader" to any user who enters infected IRC channel.
"Rar" Plugin
This plugins looks for all *.RAR archives in MS Explorer Download directory and writes itself with SETUP.EXE name to the archive.

I-Worm.Updater.a

Description I-Worm.Updater.a

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 12Kb in length, and it is written in Visual Basic (VB6). It is packed by the UPX program. After unpacking, it is 45 Kb in size.
The worm activates from an infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs a spreading routine and payload.
The infected messages have different texts and attached file names, they are randomly selected by the worm while spreading from the following variants:
Subjects:
Part1 + Part2 + Part3 + Part4
Part1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : ", " "
Part2 = "Check ", "Check out ", "Watch out ", "Open ", "Look at "
Part3 = "this ", "my ", "For this ", "The "
Part4 = "Picture", "Program", "Patch", "Nude pic", "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush" "Account", "Private Pic"

Examples:
You Should Look at this Osama Vs Bush
Fwd : Check my Patch

Attachment filenames:
"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe" "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"
Body:
Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.
Sample message:

Installation
While installing, the worm copies itself to the C:WINDOWS directory with the UPDATE.EXE name, and registers that file in the system-registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Update = C:WINDOWSUpdate.exe
The worm then displays the following fake error message:

Payload
The worm creates the file C:WINDOWSSTARTM~1PROGRAMSSTARTUPUpdate.vbs. This script file starts automatically after rebooting a system under Windows 9x/ME. It looks for files on all drives with the following extensions: EXE, DOC, TXT. It creates script copies with the same names plus the extra extension ".vbs". For example:
MPLAYER.EXE.vbs
NOTEPAD.EXE.vbs

This script file contains the strings:
I-WORM.IMELDA.B
(C)2001, by Iwing
Virusindo - Indonesian Virus Network
http://indovirus.8m.com , IRC Dalnet #indovirus

The worm changes the volume label on disk C:, then the IMELDA
The worm also copies itself to the C:WINDOWS directory with one of the following names:
"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe" "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"

Home