Virus Database

I-Worm.Kelino

Description I-Worm.Kelino

This worm virus spreads via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file with a length of about 12Kb, written in Assembler.
The infected messages have different data depending on the worm version:
From (two variants):
"Microsoft Support"
"Microsoft HelpBoard"

Subject: Support Message
Body (first variant):
During the last time, many bugs were found in our software. Because
of our product philosophie, we want to give our custumers as much security
as possible. So we decided to send out to all known Microsoft custumers the
NetBios patch Version 1.0 . This patch will fix all the known and possibly unknown
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get an OK message box.
Thanx for using Microsoft products.

Your Microsoft Support Team

Body (second variant):
During the last time, some bugs were found in our software. Because
of our product philosophy, we want to give our customers as much security
as possible. So, we decided to send out to all known Microsoft custumers the
Security patch Version 1.0 . This patch will fix all the
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get a confirmation message box.
Thank you for using Microsoft products.

Your Microsoft Support Team

Attachment:
netbiospatch10.exe
secpatch10.exe

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory with one of the following names (depending on worm version):
netbiospatch10.exe
secpatch10.exe

and registers its copy in the system registry auto-run key (depending on worm version):
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
netpatch = netbiospatch10.exe
secpatch = secpatch10.exe

The worm then displays a fake error message:
KERNEL32 ERROR
Couldn't execute frame buffer!

Spreading
To send infected messages the worm gets email addresses from WAB database and connects to default SMTP server.
The worm also sends notification message with empty body to its author:
From: "Kelaino"
To: kelaino@freenet.de
Subject: Slave Message

Check other viruses! Be aware! Use Antiviral Software

GW.1201

Description GW.1201

It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. The virus checks file names and does not infect anti-virus programs and files with the names: AIDSTEST, DRWEB, COMMAND, IBM*, AVP.
While infecting the virus uses undocumented System File Tables. The virus also uses other tricks to hide itself in the memory and access system resources: it traces INT 13h to get original INT 13h handler and patches DOS kernel to intercept file accessing calls.
The virus is encrypted in files as well as in the system memory. When needed the virus decrypts routines, executes them and then encrypts.
The virus does not manifest itself in any way. At the beginning of its code it contains a set of instructions that looks like text string:
_GW

Gwar

Description Gwar

It is a very dangerous memory resident encrypted and stealth boot virus. It hooks INT 13h and writes itself to the boot sector of diskettes and MBR sector of hard drive that are accessed. The virus copies its TSR copy to the interrupt table. From January 1st till 7th the virus displays a message and erases sectors on the hard drive, the message looks like follows:
Gwar virus by T-2000

Home