Virus Database

I-Worm.Masana

Description I-Worm.Masana

I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 107Kb in size - ASPack compresses it, the decompressed size is about 138Kb, written in Delphi.
Infected messages contain the following:

Another variant is the same subject and body as above but in Russian.

The worm activates from infected email only when a user clicks on the attached file. The worm then installs itself into the system, runs its spreading routine and payload.
The worm has bugs in its code; as a result some of its routines don't work.
Installing
While installing the worm copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry (under Windows NT) or in the SYSTEM.INI (under Windows 9x) auto-run keys:
SYSTEM.INI
[boot]
shell=Explorer.exe msys32.exe -dontrunold

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Run as Administrator

Under Windows NT systems the worm gains Admin privileges. To do this the worm uses a breach in Windows NT security (so-called DepPloit exploit).
The Masana worm creates two additional files on disk that manage the exploit:

ERunAsX.exe
ERunAsX.dll

The worm then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
Spreading
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:

looks for *.HTM* files and extracts email-like strings
by using Windows MAPI functions it reads all unread messages from the Inbox and answers them.
Each time Masana is run it also sends infected message to the masyana@nm.ru address. This message looks as follows:
Subject: Masyanya!
Body: gygygy!
Attach: Masyanya.exe

Payload
On Mondays the worm starts a DoS (Denial of Service) attack on kavkaz.org.
Other
This worm also:

disables the MS Outlook Express 5.0 MAPISendMail warning.
adds to the system the user named masyanechkaa with Admin privileges (under Windows NT) I-Worm.Masana also contains the text string:

I-Worm.Masyanya v1.0 8) Just a hello-world wormall
The worm also creates an additional registry key that indicates the system is already infected:

HKCUEnvironmentID = 1

Check other viruses! Be aware! Use Antiviral Software

Konrad.999

Description Konrad.999

This is a dangerous, non-memory resident encrypted parasitic virus. It searches for .COM files, then writes itself to the end of the file. On November 9th, the virus hooks INT 13h, and sounds upon accessing to the hard drive. The virus does not leave an INT 13h handler as a memory resident program, and after host-program termination, the computer halts.
The virus contains the following texts:
ZuSe by DiGiTAL
by DiGiTAL [TECHNO]logies
+-------------------------+
|Name: KoNrAd ZuSe 1.0 |
|ORiGiN: Ost-Berlin (FRG) |
|Creator: -= DiGiTAL =- |
|Size: 999 bytes/501 bytes|
|last UpDate: 04-28-93 |
+-------------------------+
| not resident |
| infects COM-files only |
| uses SeLf-EnCrYpTiOn |
| RuN-TiMe oPeRaTiOon |
+-------------------------+
Grz2: ThE GuYz FrOm ThE FeZ, !TWIN, SyNeC, RoY, WaNgLeR 'n'
all -= (*) TELEKOMiKER (*) =- (kotz,brech,ätz,krepel,übergiball

Kontragapi

Description Kontragapi

It is a dangerous memory resident polymorphic parasitic virus. The virus does work only if system date's year is 1998, otherwise the virus does not install itself into the system memory. While installing the virus hooks INT 21h and writes itself to the end of COM files that are accessed. The virus corrupts several anti-virus programs: if filename begins with F-, TB, AV, VIR, SCAN, KILL (F-PROT, TBAV, AVP etc), the virus writes to the file header a small program that displays the message:
kontragapi

This is the "Entry Point Obscuring" virus, i.e. there is no JMP_Virus instruction at the file header. The virus uses one of standard tricks to write the JMP_Virus to the middle of the file: it reads file header, disassembles it at looks for suitable place for the JMP_Virus code.

Home