Virus Database

I-Worm.Naver

Description I-Worm.Naver

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 50K of length. The worm is written in Visual Basic language.
When the worm is run it displays the dialog box:
Windows Secirity Upgrade

This is an upgrade for Microsoft Windows 9x/Me/NT/2000
to solve some protocol TCP/IP problems and for SSL
(Secure Sockets Layer) secure system exploration.

Do you want to install the upgrade now?

[ OK ] [ Cancel ]
On "OK" the worm displays the message:
Upgrade
Upgrade completed, thank you
Then, as well as on "Cancel" click, the worm installs itself to the system. It copies itself to Windows directory with WINSYS.EXE name and to Windows system directory with the WINSYS.EXE name. The latter file is then registered in Registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun WLWin = %windir%WINSYS.EXE
The worm also creates additional registry key that indacates that the system is already infected:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion WLKey = 1
The worm also creates NAVER.TXT file in Windows system directory and writes to there a text that is then used in infected messages body (see below).
The worm then connects to MS Outlook address book, get email addresses from there and sends itself attached to emails:
Subject: Re: Windows Upgrade
Body:
Use this patch!!, goodbye

>
> From: "Micosoft upgrades"
> To: "Windows users"
> Subject: Upgrade
> Date: Mon, 11 Jun 2001 11:02:34 +0200
>
> Microsoft programs bugs that are costantly found, are immediately often solved by little
> patches, that are regulary pubblished on the official site, but despite this only few
> users use this patches. Because of this a lot of users consider Microsoft systems
> unsecure, you can solve all the problems at base, upgrading costantly the system,
> because of this Microsoftî decided to exploit FAQ mail to reach the majority of users.
> By FAQ mail you have recived it, that contain the first upgrade, naver.exe file
> (Upgrade 11 Jun 2001), an upgrade that is used for increase security of Windows system
> protocol TCP/IP problems and for SSL (Secure Sockets Layer) secure system exploration.
> For a correct operation copy naver.exe in c: and run it
>
> Foward this mail at your friends with the relative attachment or if you don't want to
> receive any other upgrades send an empty mail to deletelist@microsoft.com with subject
> "Delete from database".
>
> We thank in advance all the users that will agree the project.
>
> Answerable Microsoftî Upgrades John Milton
> http://www.microsoft.com/security/
>

Attachment: NAVER.EXE
In some cases (depending on current date?) the worm removes its registry keys, deletes its files and displays the message:
VIRUS !!!!!!!!!!!
Virus Eclisse has infected
Don't try to close the counter before zero otherwise it will be restarted,
the system will be released only when the countdown counts zero.

Now you are able to use your computer, this Virus automatically delete
itself, byez. ( Translation by M_O_R_B_O )

Check other viruses! Be aware! Use Antiviral Software

Remember.1283

Description Remember.1283

This is a benign non memory-resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On April 24, it displays the following messages (possibly in Japanese):
óz------------------------------ó{{
óx [ Remember 4.0 ] óx
óx óx
óx íx "+ ++ +++ Ñ-ñ +++ íx óx
óx óx
óx |+"u |+Pxí |+"u |"+|+ óx
óx óx
óx b +¿ |úxNÑI++ p óx
óx óx
óx -@ +"+ p" +¿ |o+ ¿+ |"+|+ óx
óx óx
óu------------------------------ót
óx- Written by Jean at O.V.E.L -óx
ó|ówówówówówówówówówówówówówówówó}
<<< Welcome >>>
=================================
The OVEL bbs Tel is 02-927-7432
=================================

Remember.816

Description Remember.816

This is a benign non memory-resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On April 24, it displays the following messages (possibly in Japanese):
óz------------------------------ó{{
óx [ REMEMBER ] óx
óx óx
óx íx "+ ++ +++ Ñ-ñ +++ íx óx
óx óx
óx |+"u |+Pxí |+"u |"+|+ óx
óx óx
óx b +¿ |úxNÑI++ p óx
óx óx
óx -@ +"+ p" +¿ |o+ ¿+ |"+|+ óx
óx óx
óu------------------------------ót
óx- Written by Jean July. (C). -óx
ó|ówówówówówówówówówówówówówówówó}

Home