Virus Database

I-Worm.Hadra

Description I-Worm.Hadra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.
When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
All these "Run=" keys then have the string value that runs the worm copy upon each Windows start-up:
msservice = %WinDir%msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.
On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:
[I-Worm.Hydra] allby gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software on an infected computer (see more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE name from the following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates, in the Windows directory, the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
msseti = WScript.exe %WinDir% un_msseti.vbs"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
msseti = WScript.exe %WinDir% un_msseti.vbs"
The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic

Check other viruses! Be aware! Use Antiviral Software

Malign Family

Description Malign Family

These are not dangerous memory resident parasitic viruses. They hook INT 21h and when the DOS functions GetDisk or SetDisk are executed the viruses search for the COM-files and write themselves at their beginnings. Sometimes they display the string: "Malign". On read/write error the virus "Malign.630" displays also: "Wait".

Malmsey.495.a

Description Malmsey.495.a

This is a dangerous, non memory-resident parasitic virus. It searches for EXE files and writes itself to their ends. Sometimes it infects the files incorrectly and they hang up upon execution. It contains the internal texts:
LM
Malmsey Habitat v. 2.0 Lucifer Messiah -- ANARKICK SYSTEMS 07-18-92
Happy Birthday Pob!!

Home