Virus Database

I-Worm.Mydoom.a

Description I-Worm.Mydoom.a
Also known as Novarg.
This worm spreads via the Internet in the form of files attached to infected messages. It also spreads via the file sharing network Kazaa. The worm itself is a Windows PE EXE file of 22528 bytes, compressed using UPX. The decompressed file is approximately 40KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the site www.sco.com on 1st February 2004.
Part of the body of the worm is encrypted.
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name taskmon.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System% askmon.exe"
The worm creates a file shimgapi.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"(Default)" = "%SysDir%shimgapi.dll"
Shimgapi.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Message in the temporary directory (usually in windir emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier SwebSipxSmtxSO.
Mailing of messages
When sending infected messages the worm uses its own SMTP engine. The worm attempts to connect directly to the recipient mail server.
In order to find email addresses to send infected messages to, the worm searches for files with the following extensions:
asp
dbx
tbb
htm
sht
php
adb
pl
wab
txt
and gathers email addresses found in these files. The worm ignores addresses with the suffix .edu.
Infected messages have the following characteristics:

Sender's address:
random
Message header: (chosen at random from the following list)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message body: (chosen at random from the following list)
test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.
Attachment name: (may be one word from the list below, or two words from the list below joined by an underscore)
document
readme
doc
text
file
data
test
message
body
The attachment may have one of the following extensions:
pif
scr
exe
cmd
bat
The worm may also send messages with a meaningless selection of characters in the message head, message body or attachment name.
Replication via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with the following extensions:
bat
exe
scr
pif
Other
Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet.
The worm also contains a function which enables it to carry out DoS attacks on the site www.sco.com. This function should activate on the 1st February and continue to work until 12th Febuary 2004. The worm will send a GET request every millisecond to port 80 of the site being attacked, which under the conditions of a global epidemic may lead to total breakdown of the site.

Check other viruses! Be aware! Use Antiviral Software

IDEA.6126

Description IDEA.6126

It is not a dangerous memory resident polymorphic parasitic virus. The virus code is encrypted three times - first loop is polymorphic, other loops are not polymorphic, but they use IDEA encryption algorithm. As a result virus decryption is a quite complex task, and when an infected file is executed even Pentium computers "sleep" for a second or two while the virus decrypts itself.
The virus then hooks INT 21h and stays memory resident. When COM and EXE files are executed, the virus writes itself to the end of the file. The virus does not infect COMMAND.COM and several anti-virus programs (TBAV, AVP, NAV, FINDVIRU, F-PROT, all) according to the string (two letters per name):
TBVIAVNAVSFIF-FVIVDRSCGUCO

After infecting the virus opens the ANTI-VIR.DAT file (if exists) and patches just infected file name in there - replaces the first character in file name with 01h (Smile ASCII).
When ZIP files are accessed by FindFirst/Next DOS commands, the virus adds an infected README.COM file to the ZIP archive. While infecting the virus drops a file on disk, infects it, appends infected file to the archive and then modifies archive structure. As a host file the virus uses one of three simple video-effect programs that keeps in its code. When executed these programs manifest themselves by a video effect and display the messages:
Downloaded From
http://www.narkotic.com/~vico
Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45)
* ROADKILL BBS *
Call now 028-6621590

While infecting ZIP archives the virus creates three temporary files: DIR.SKA, END.SKA, ADD.SKA.
At 15:30 the virus creates the C:VIRUS.COM file, writes the standard EICAR anti-virus test file to there, manifests itself by a video effect and displays the rotated message:
Warning!
strong
crypto
inside

The virus also contains the text strings:
IDEA virus (c) Spanska 98
Thx to Rajaat (poly),
F Mirza (IDEA),
Wild Worker (zip),
Solar D (road)

Idie.3520

Description Idie.3520

It is not a dangerous memory resident encrypted multipartite virus. It infects the MBR of the hard drive and writes itself to the end of COM and EXE files. The virus infects the MBR when an infected file is executed. It then hooks INT 13h, 1Ch, 21h and on file executing, closing or selecting new directory searches for files in current directory and infects them. The virus also searches executable files in PATH directories and also infects them.
The virus checks file names and does not infect several anti-virus programs: TOOLKIT, FINDVIRU, FV86, FV386, CLEANPAR, CLEANBOO, GUARD, GUARDMEM, VIVERIFY, SCAN, CLEAN, MSAV, VSAFE, IMENSCAN.
Depending on its internal counters the virus displays the messages:
I Never Forget K.Z.M.F Group !!!
I Die For Beautiful Girls !!!

Home