Virus Database

I-Worm.Ivalid

Description I-Worm.Ivalid

This is a dangerous worm spreading through Internet attached to email messages. The worm itself is Windows application about 12K of size. To spread the worm uses SMTP and connects to "mail.bezeqint.net" email server to send infected messages.
The worm gets victim email addresses from HTML files. It searches for *.HT* files on the hard drive and looks for email addresses in there.
The infected messages have following data:
From: "Microsoft Support" [support@microsoft.com]
Subject: Invalid SSL Certificate
Attach: SSLPATCH.EXE
Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation
In case of error, or when infected messages are sent the worm encrypts all EXE files in current and all parent directories. While encrypting the worm uses standard Windows crypto API.
The worm also contains following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Cabrotor.10.a

Description Backdoor.Cabrotor.10.a

Cabrotor is backdoor trojan program (it is a hidden remote control trojan). The trojan itself is a Windows PE EXE file written in Delphi.
The original trojan package contains three main executable files:
CaBrONaToR.exe - client to send commands to remote server
CaBrONeDiT.exe - server editor to modify default server settings
8======D.exe - server (trojan itself)
When run the backdoor code copies itself to the Windows directory and registers itself in the system registry in the auto-run section. In different backdoor versions the backdoor EXE name and registry keys are different. The known variant has:
EXE name:
ASDAPI.EXE
The registry key entries it makes are:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Key name:
LoadPowerProfile
The trojan then opens a connection to its master's IRC channel and waits for its master's commands.
The backdoor program performs following commands:
reports computer info (Windows version, CPU type, UserName, CompanyName e.t.c.)
open/closes CD drive
reports directories and file names in there
runs a local file or executes a command
sends information: RAS, MS Messenger and .NET services
exits Windows - downloads a requested file
performs DoS attack to requested victim address
terminates itself

Backdoor.CyberSpy

Description Backdoor.CyberSpy

Backdoor.CyberSpy is a malicious program which portrays itself as a telnet-server. It informs its creator about the presence of networks via either e-mail or ICQ and contains a component allowing it to make adjustments.
Upon execution of this program the virus copies itself into the Windows system directory and registers itself in the system registry so that it will start each time an infected system is rebooted. Once this is done it sends a notice via e-mail or ICQ (according to settings made by its author), and then begins to listen to a given TCP/IP port clandestinely. Having received the message sent back by the virus (information about specific networks sent back by the virus via ICQ or e-mail), the hacker controlling Backdoor.CyberSpy, with the help of any telnet-client, gains access to a victim computer's command line (prompt).

Home