Virus Database

I-Worm.Navidad

Description I-Worm.Navidad

This is an Internet worm that spreads by means of e-mail using MAPI Outlook. The worm itself is a Windows EXE file about 32K in length. It is attached to e-mails with the NAVIDAD.EXE name.
When the worm is activated, it copies itself to the Windows system directory with the WINSVRC.VXD name and registers itself in the system. While registering, the worm uses a false name, WINSVRC.EXE, instead of WINSVRC.VXD ("EXE" instead "VXD"), so the worm's "VXD" copy is not functional at this time.
While registering in the system, the worm modifies two registry keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winsvrc.exe
and
HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winsvrc.exe %1 %*
where %SystemDir% is the Windows system directory name (for example, C:WINDOWSSYSTEM).
The worm also creates an empty key:
HKEY_CURRENT_USERSoftwareNavidad
Because of the "EXE-VXD" bug, the affected system becomes non-functional; not one EXE file can be run because of an invalid "exefileshellopencommand" key, and Windows displays a standard error message:
Windows cannot find WINSVRC.VXD
This application is needed for opening files of the "Application" type.
The REGEDIT.EXE utility (to recover the registry) cannot be executed too. On affected machines, the REGEDIT.EXE should be renamed to REGEDIT.COM (with the help of Exlorer, for example), and then run. The HKEY_CLASSES_ROOTexefileshellopencommand then should be set to:
"%1" %*
When run, the worm also displays the message box:

The worm also creates a "blue-eye" icon in the system tray.

When clicking on the icon, the worm displays the message:

and then one more message:

MORE WORM VARIANTS
There are more "Navidad" versions known. They are just patched original version: the code (program) is the same, but text strings are replaced with new ones:
"Emanuel" version
attached file name is EMANUEL.EXE
it copies itself to Windows system directory with WINTASK.EXE name
registers itself in the registry by keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%wintask.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%wintask.exe %1 %*
creates an empty key
HKEY_CURRENT_USERSoftwareEmanuel
When run it displays message box:

"XMas" version
attached file name is XXXXMas.exe
it copies itself to Windows system directory with WINFILE.VXD name
registers itself in the registry by keys:

SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winfile.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winfile.exe %1 %*
creates an empty key HKEY_CURRENT_USERSoftwareXxxxmas
When run it displays message box:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Nyxem

Description I-Worm.Nyxem

This worm spreads via the Internet as an attachment to infected messages. It also spreads via Yahoo Pager and MSN Messenger.
The worm itself is written in Visual Basic, and is a PE EXE file, 76060 bytes in size. The file is packed using UPX, and the unpacked file is approximately 130KB in size.
Infected messages
There are two types of infected message:
Type one:
Message header (chosen from the following list):
<<~SEX~>> TeenRapers.mov
Asses Mpeg's
FW: (-Sucking-)
FW: **Hot Movie**
FW: File - WebCam.mpeg
FW: Lesbian & gays Mpeg
Fw: My Funny Ass
FW:RE: Least *21* Years
FW:Re:Hot Erotic
Re: Double suck (movie)
RE: FW: Women Mpeg
Re: Why? Form Back.mpg
very hot XXX
Video Clip
Message body (chosen from the following list):
Babe sucking black Dog MPEG
funny movie
hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at meall n thanks for lettin me join!!! kisses kandee..Bye
Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
-==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
Watch the Paris Hilton Sex Tape for Free!
Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
Here is another Vclip of my daily group :|
All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
u Love asses? Here is a great ass open wide waitin for ur lil Cock
Bye
movie attached open by media Player 7.1
when i saw my ass i slept 3 hours why?? check my ass sorry my movie
LOOOOOOOOL joke (^!^)
Bye
Check This ?ucking Babe ;D
?ucking = Sucking=Fucking
Attachment name (chosen from the following list):
17Ag_double_suck__part[2].MPEG_.scr
April_FromTexas.MPEG_.scr
Video_briefcase_Group[13].MPEG_.scr
Julia_1997_Fucking.MPEG_.scr
juanita_in_the_kitchen.MPEG.scr
After_2AM_small_room[4].MPEG__.scr
Graham_Hilton_Sex[4].MPEG__.scr
WebCam_12girls_Ass.mpeg_.scr
Shakira_Anal_very_old.MPEG.scr
why_fuck_anal_back.MPEG.scr
open_girl_21year.MPEG.scr
Ricky_Gay_ass.MPEG______________.scr
GrahamCluley_freakin_Ass_.MPEG__.scr
Sexual_Crimes.MPEG____.scr
Second type:
Message header:
Fw: Virus Alert
Message body:
Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected with The W32.BlackWorm.A@mm Virus.
And you could be infected too. This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).
Notes:
Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.
--------------------------------------------------------------------------------
Sincerely
Norton AntiVirus
Attachment name:
FIX_BLACKWORM.COM
SCAN.ZIP (inside - FIX_BLACKWORM.COM)
SCAN.TGZ (inside - FIX_BLACKWORM.COM)
Installation
Once launched, the worm copies itself and its components to the Windows system directory. The name is chosen at random by the worm from the names of files which already exist. The worm then adds a space to the end of the name e.g.kodakprv. exe
Once the file has been created the wrom registers it in the system registry autorun key.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
When launching, the worm launches Windows Media Player.
Propagation
The worm uses its own library (ossmtp.dll, oswinsck.dll) to send messages via smtp.
The worm harvests email addresses from Yahoo and MSN Messenger, and also scans files with the extensions .htm and .dbx to harvest addresses.
Other
The worm attempts to prevent antivirus programs from launching. It deletes the following registry keys:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
Taskmon
KasperskyAv
system.
msgsvr32
Windows Services Host
Explorer
Sentry
ssate.exe
winupd.exe
au.exe
OLE
The worm attempts to conduct a DoS attack on www.nymex.com

I-Worm.Paukor

Description I-Worm.Paukor

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 450Kb in length, and is written in Delphi. The worm has several components (main and additional) described below.
The infected messages have an attached FILES.EXE file (the worm itself), and have different text fields that are randomly selected by the worm from several variants (see below).
The first and last lines in the message body are:
first line in Body is randomly selected from "Hi!" or "Hello,"
the last line in Body is also randomly selected from empty line, or
"Regards,"
"Your friend,"
"Best Regards"
"Kind Regards"
and is completed with %UserEmailName% (user's display name in email messages)
The Subject and Body variants are:
Subject: Your loved one in indecent pictures :(
Body:
Hi! or Hello,
I'm sorry I have to send you these compromising pictures with the one you love, or you loved. You will know where they were taken as soon as you see them.
I' compressed it as a self extracting archive because I din't knew if you have WinZip. When you run it, it should display the extract dialog. I'm really sorry I had to be the one who told you about this.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Surprise for you!
Body:
Hi! or Hello,
I have a surprise for you. It's a electronic card made by myself :). It contains some graphics and sound and I had to compress it as self extracting archive. :))
I hope you like it, please see the attached file.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Pictures from the last party
Body:
Hi! or Hello,
Here are the pictures from the last party. Some of them are so funny! I compressed them as self extracting archive as they were too large, over 2.1 Mb! :))
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
Subject: No subject
Body:
Hi! or Hello,
Here are some files related to what we have talk about.
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
The worm is activated from an infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, drops additional components and runs a spreading routine.
Main Component
When the main worm component, FILES.EXE, is executed, the worm installs its other components in the system. These components are created in the Windows directory with the following names:
SYSTRAY.EXE - 66K of length
CWAB.EXE - 341K of length
MSP.DLL - 20K of length

All are Windows PE EXE files and are written in Delphi, as is the main worm file. The EXE files (SYSTRAY.EXE and CWAB.EXE) are executed then by the main worm component. The worm's main component then copies itself (the FILES.EXE file) to the Windows directory, displays a "decoy" message and exits. The message appears as follows:

The CWAB Component
This the worm component, that when run, spreads the worm with e-mail and sends e-mail with a keylog file to the worm host (with an e-mail address at @yahoo.com and @softhome.com).
While sending e-mails, the worm obtains a victim's e-mail addresses from the WAB (Windows Address Book) database, connects to a SMTP server, and sends infected e-mail messages.
This worm component is designed for being run only under the main FILES.EXE worm file. Being run as a stand-alone application, it simply displays the following fake message and exits:

The SYSTRAY and MSP Components
This is a "keylogger" worm component. When run, it registers itself in the registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
then activates the "key-logging" library MSP.DLL, which logs keyboard strokes to a MSP.DAT file in the Windows directory. This file is then sometimes sent to a host e-mail address.
This worm's component has the following "copyright" text strings in it:
PayK Worm
Copyright (c) 2001 by TheShadow
Disclamer: This program has been made for educational and research purposes only.

Home