Virus Database

I-Worm.Maldal

Description I-Worm.Maldal

This is a dangerous virus-worm that spreads via the Internet attached to infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm also creates destructive payloads.
The worm itself is a Windows PE EXE file about 36.5K in length, and is written in Visual Basic 5.
The infected messages contain:

The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload. It displays the following picture only once:

Installation
While installing, the worm copies itself to the Windows system directory with the name "Christmas.exe" and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Zacker = < windir >Christmas.exe
Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Installation of the other worm
The worm changes a start page for the Internet Explorer to the:http://geocities.com/jobreee/ZaCker.htm*.
This HTM file contains another Internet worm: VBS.Kerza that will be run after Internet Explorer has been started.
Destructive payload
The worm blocks a keyboard and tries to delete all files in the Windows System directory.
*WARNING: DO NOT USE THIS LINK!

Check other viruses! Be aware! Use Antiviral Software

Backdoor.SdBot.gen

Description Backdoor.SdBot.gen

This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.
Installation
Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
The registry value will vary according to which version of the backdoor has infected the machine.
Payload
Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.

Backdoor.Subseven

Description Backdoor.Subseven

This is a remote administration utility used to control infected machines. It functions in a similar way to Backdoor.BO (a.k.a. Back Orifice) Trojan.

Home