Virus Database

I-Worm.Goner

Description I-Worm.Goner

This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via the Internet pager ICQ. It attacks an IRC channel, utilizing a Trojan script and protects itself from anti-virus programs.
The worm itself is a Windows PE EXE file about 38 KB in length and written in Visual Basic. It is packed by the program UPX. After unpacking, it is 148KB in size.
An infected message contains:

The worm activates from an infected e-mail only when a user clicks on an attached file. Then it installs itself to the system and runs its spreading routine and payload. It displays animated windows with the following text:

Then it displays the following message dialogue:

Installation
While installing, the worm copies itself to the Windows system directory with the name GONE.SCR, and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun C:WINDOWSSYSTEMGONE.SCR = C:WINDOWSSYSTEMGONE.SCR
Following this, the worm hides its main window, and continues spreading.
Spreading via E-mail
In order to send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
{Goner3.bmp}
Spreading via ICQ
The worm spreads through the ICQ client. It uses the library ICQMAPI.DLL, which the worm copies from the directory C:PROGRAM FILESICQ to the Windows system directory. It reponds to the client program, and looks for dialogue windows from the list and answers requests. The window lists are as follows:
Send Online File
Send Online File Request

The worm periodically looks for windows and closes them. The titles of the windows are as follows:
User has declined your request
Can't Send File Request
Send Online File [User Is in N/A mode]
Send Online File [User Is Away]
Send Online File [User Is Occupied]
Send Online File [User Is in DND mode]
User has declined your request
Can't Send File Request
Send Online File Request [User Is in N/A mode]
Send Online File Request [User Is Away]
Send Online File Request [User Is Occupied]
Send Online File Request [User Is in DND mode]

Attacking an IRC channel
The worm scans local disk directories for the file MIRC.INI, creating a new file, REMOTE32.INI, in this directory, and adds it to the file MIRC.INI. This script periodically joins a user with random name to the IRC channel #pentagonex on the server twisted.ma.us.dal.net.
Protection from Anti-Virus Programs
While installing in the computer system, the worm scans the running processes, checking their names from the following list:
FINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
C:SAFEWEB
The worm terminates this process in memory, and erases the file from the disk. Then it erases all files in the process directory with files in subdirectories. The worm looks for remaining files, and sets up its removing after restarting the computer. It adds delete commands to the file WININIT.INI

Check other viruses! Be aware! Use Antiviral Software

Cartier.1056

Description Cartier.1056

Cartier.1056 is a dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself to their ends. It erases the FAT of the C: drive and displays:
+----------------------------------------------------------------------------+
¦ Don't panic it, I am just a virus named [Cartier]. Nice to meet you ! ¦
¦ You are so dirty to get software without any payments ! I don't like it ! ¦
¦ So, I destory all of your datas in the hard disk now ! Feel so good ! ¦
+----------------------------------------------------------------------------¦
¦I wish you like that ! ¦ What about a drink ? ¦ See you next time ! ¦
+----------------------------------------------------------------------------+

Cascade.1491

Description Cascade.1491

This is a memory resident virus. Its body except for the beginning (first 32 bytes) is encoded. As a key the length of the infected file is used. That is why two strains of the same virus in most cases will coincide only in the first 32 bytes.
As an infected program is executed, the control of the JMP command is transferred to the beginning of the virus. By first commands the virus determines the length of the source file and deciphers its body.
On creating its memory-resident copy the virus:
copies its body into the highest addresses of the memory;
moves the body of the main program into the highest addresses of the memory;
moves the virus body into cleared area above the main program body;
sets INT 1Ch, 21h, 28h to its own copy.
ƒ all ƒ ƒ ... ƒ ƒ ... ƒ ƒ ... ƒ
+---------ƒ +---------ƒ +---------ƒ +---------ƒ
ƒProgram ƒ ƒProgram ƒ--+ ƒFree ƒ +-->ƒVirus ƒ
ƒ ƒ ƒ ƒ ƒ ƒmemory ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ +---------ƒ ƒ +---------ƒ
+---------ƒ +---------ƒ +-->ƒProgram ƒ ƒ ƒProgram ƒ
ƒVirus ƒ--+ ƒVirus ƒ ƒ ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---------ƒ ƒ +---------ƒ +---------ƒ ƒ +---------ƒ
ƒ ... ƒ +-->ƒVirus ƒ ƒVirus ƒ--+ ƒ ... ƒ
ƒ(copy) ƒ ƒ ƒ
+---------ƒ +---------ƒ
ƒ ... ƒ ƒ ... ƒ

The virus affects only COM files as it's loaded into the memory for execution. Infection is carried out by standard method. Most widely spread versions of this virus does not reinfect files.
The virus changes interrupt vectors 1Ch, 21h and 28h. It also produces a specific video-effect: crumbling down of letters on the screen; does not have destructive functions.
Sometimes it displays the message:
IL SISTEMA è FOTTUTO!!
S.E.K. VIRUS Made in ITALY RM
5iD G.Ferraris 90/91 (c)
Then it erases the disk sectors. It also deletes CHKLIST.CPS file.

Home