Virus Database

I-Worm.Gizer.c

Description I-Worm.Gizer.c

Gizer is a worm virus spreading via the Internet as an attachment to infected emails - it appends itself to Zip archives.
The worm itself is a Windows PE EXE file about 8 KB in length and written in Assembly language.
Infected messages have the following characteristics:
From: Microsoft Critical Response Team
Subject: Urgent message for all Windows users
Body:

Dear Windows User, The Microsoft Security Experts have discovered a bug inside the Windows files that poses a security threat to all versions of Windows newer than Windows98 (including Windows98). Virus experts have reported that few known viruses have been identified using this exploit, but more are expected. A patch has been supplied with this email and will fix the security hole. **THIS MESSAGE WAS DELIVERED BY THE AUTHOR FROM ENERGY WORM !!!** Attachment name: patch.exe
The worm activates from infected email only when a user clicks on the attached file.
The worm does not install itself to the system and is not repeatedly activated. The only way to run the virus again is to double click the attached file.
When the worm is launched, it copies itself to the current folder under the name windows.tmp, and displays the following message:
Could not patch due to bad CRC!

Spreading: e-mail
To send infected messages the worm connects to the SMTP server specified as the default in Windows. Gizer then sends messages to all addresses found in the Windows address book (WAB database).
Spreading: archives
Gizer also searches for all files with the .ZIP extension on all hard drives and appends its copy to them.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Desos.a

Description I-Worm.Desos.a
Desos is an Internet worm that spreads as an attachment to infected e-mail messages.
Messages sent by the worm contain various subjects, bodies and attachment names.
Possible message subjects:
Seduccion
Humano
Musica
Mujer
Hombre
Confesion
Infidelidad
Belleza
Relaciones casuales
Tus deseos
Mi secreto
La clave
Enojo
Perdon
Responde!
Cita
Papelon
Renuncio
Monstruo
Joven

Possible attachment names:
s_CAP3.EXE
HUMANO.EXE
MUSIC.EXE
MUJER.EXE
HOMBRE.EXE
CONFESION.EXE
INFIEL.EXE
BELLEZA.EXE
LISTArc.EXE
DESEOS.EXE
SECRETO.EXE
CLAVE.EXE
YO.EXE
FEOS.EXE
PASION.EXE
CITA2.EXE
GORDA.EXE
CUERPO.EXE
MONSTRUO.EXE
JOVEN.EXE

Possible message bodies:
Cap.3 El arte de provocar.
El Ser Humano que pudiste ser.
Esta es la musica que te prometi.
La mujer mas bellaall
Un hombre entero.
?Ya sabes que fui yo?.
Las imagenes de tu infidelidad.
?No estas conforme con tu apariencia?
Esta es la lista para esta semana.
Si te conforman, puedo enviar mas.
Recorda tu promesa!
No la vuelvas a perder, no abuses.
Cuando veas esto, se te pasa.
Crei que ya lo habia enviado.
Nunca respondiste. No seas cruel.
Me gusto lo que enviaste. Si te gusta, arreglamos.
Te dije que es demasiado gorda. Mira!
No puedo mejorarlo, ya es perfecto.
Ahora te creo. Pobre mujer!
Disculpa, sos demasiado joven para mi.

Installation
The worm copies itself to the Windows directory under the name "ESMTP.EXE", and write the following registry value to have its copy execute upon reboot:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Esmtp=(Windows directory path)Esmtp.exe

Replication: via e-mail
Desos searches for e-mail addresses in the Windows Address Book (WAB), and files that have the .HT* extension (where * means any string) in the Windows Temporary directory. It then sends infected messages to these addresses. To send infected messages it uses a direct connection to the default SMTP Server.

I-Worm.Dilber

Description I-Worm.Dilber

This is an Internet worm related to the "I-Worm.Silver" worm and written by the same person. As well as "Silver," it is a Windows executable written in Delphi; and it accesses the Internet by using a VBS file helper and spreads to the local network.
Installation
When the worm gains control, it installs itself into the system. To do this, it copies itself to the Windows directory with the name SETUP_.EXE, and registers the first file in three auto-run keys in the system registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
All these fields contain the instruction:
"Unchained Infection" = WinDirsetup_.exe
where "WinDir" is the name of Windows directory.
The worm also registers that file in the auto-run section in WIN.INI file:
[windows]

all

run=WinDirsetup_exe

...


In case the worm fails to install a SETUP_.EXE file into the Windows directory, it copies itself there with the DILBERTDANCE.JPG.EXE name.
The worm then stays in Windows as a background application (under Windows 95/98) or as a service (under WinNT), and runs its spreading routines. Actually, there are two worm routine active in the background. One of them is activated once every 40 minutes, and the second one once every hour. The first routine sends the infected messages by using the VBS file helper, as well as drops and spawns five more viruses (see below). The second one infects the local network.
Sending E-mails
To send an infected message, the worm uses a MS Outlook and VBS helper file SENDMAIL.VBS that is a script program in VisualBasicScript language. This script obtains all messages from the Inbox and "replies" to the first 20 of them with the following message:
Text:
Hi "sendername"
Received your mail, and will send you a reply ASAP
Until then, check out this funny Dilbert Dance (attached)
Attached file name: dilbertdance.jpg.exe
where "sendername" is the name of the replying message sender.
The worm then marks "answered" messages (affected messages) with a TAB char at the end of the message subject, and then does not answer the messages that have already affected. So, the worm prevents duplicate replies to the same messages.
The worm also stores all affected addresses in the WINDOWS.EXE file in the Windows directory, and does not send infected messages to the same addresses twice.
The worm also does not send infected messages in the case when the victim address contains the sub-strings: .mil, .gov, admin, master, abuse
Spreading to Local Network
To spread to a local network, the worm enumerates network resources (mapped drives), looks for those of them that are shared for reading/writing, and looks for WINDOWS and WINNT directories there. In the case that one of these directories exists, the work copies itself there with the same SETUP_.EXE name, and registers that file there in the auto-run section in WIN.INI file or/and in system registry.
As a result, if on the network there are computers that have a shared Windows drive for reading/writing, the worm installs itself there and will be run on that computer(s) upon restart.
Because of a minor bug in the worm's code, it is unable to run its spreading routing both via e-mail and LAN.
Payload
The worm also keeps images of five viruses in its body in encoded form. Depending on the system date, the worm extracts, drops, and spawns these viruses:
When |Virus name |File name (dropped by worm)
----------------+---------------+---------------------------
on 7 of month: |Win32.Bolzano |BOLZANO.EXE
on 15 of month: |Win95.CIH |CIH_15.EXE
on 17 of month: |VBS.FreeLink |LINKS.VBS
on 22 of month: |Win95.SK |WINSK.COM
on 31 of month: |Wni32.AOC |BEE_AOC.EXE
----------------+---------------+---------------------------

Home