Virus Database

I-Worm.NetSky.y

Description I-Worm.NetSky.y

This worm spreads via the Internet as a file attached to infected messages. It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in size.
Infected messages
The characteristics of infected messages vary according to domain:
Sender's address:
hukanmikloiuo@yahoo.com
Domain ".tc":
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pif
Domain ".se":
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pif
Domain ".fi":
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pif
Domain ".pl":
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pif
Domain ".no":
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pif
Domain ".pt":
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pif
Domain ".it":
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pif
Domain ".fr":
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pif
Domain ".de":
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pif
Other Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. The worm will then install itself on the system and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to the Windows folder and registers this file in the system registry autorun key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunFirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and then sends copies of itself to these addresses. It creates a file in the Windows directory called fuck_you_bagle.txt, and writes its body to this file. This file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th April on the following servers:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

Check other viruses! Be aware! Use Antiviral Software

Privet.1152

Description Privet.1152

It is not a dangerous memory resident parasitic virus. It writes itself to the end of .EXE files (except EXE files that are packed with PKLite utility). When an infected file is executed, the virus searches for .EXE files in the current directory and infects them. The virus then hooks INT 21h, stays memory resident and searches for .EXE files to infect them when any file is executed, loaded for debugging or as an overlay (INT 21h, AH=4Bh).
Depending on its generation the virus displays a message in Russian. The virus also contains the string:
*.exe skh

Pro-Alife.3423

Description Pro-Alife.3423

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. When a program is terminated, it displays one of the messages:
Kill an evil satanic ANTI-VIRAL product for Jesus today!
Stop Disinfectants NOW!
Ain't aLife A Beautiful Choice?
And God Said, "Let There Be Life!", and there wasall..
Save the Viruses! They're People Too!!!!
PRO-aLIFE and PROUD! STOP THE VIRUS KILLERS! HALT THE AV!
STORM THE COMPU-CLINICS! DON'T LET THEM KILL THE VIRUSES!!!
Operation Rescue-II, Save the HELPLESS UNBORN Viruses!!!

When the anti-virus programs are executed:
F-PROT.EXE TBSCAN.EXE TBAV.EXE TBCLEAN.EXE SCAN.EXE CLEAN.EXE VIRSTOP.EXE
MSAV.EXE VSAFE.EXE CPAV.EXE FSP.EXE VDEFEND.EXE

the virus overwrites them with the trojan program that displays being executed:
Eddie Lives, Somewhere in time! ____________ 1704 Jerusalem
Casino :( ;( =( Smeg off! _____ ____ Frodo Lives! APRIL FOOLS!
Get a late pass! Datacrime _______________ Brain Void-Poem
Your PC is now STONED! __ OO _____ O _ Copy me, I want to travel!
1,000,000,000 Viruses DIED Today!
And yesterday, and more will die tomorrow!
_/\_STOP THE KILLING!_/\_
Look What You're Doing To Them!
Below is an aborted virus... Support PRO-aLIFE Activism!
This program has been TERMINATED by the Virus Survival Underground Movement.
It had long stood as a horrible BABY VIRUS KILLER, and had to be removed.
Life, What a Beautiful Choice (tm).
--==___[OPERATION RESCUE II - SAVING THE BABY VIRUSES!]___==--
Thank you for choosing life over destruction.
Have a Nice Day (tm).

"Pro-Alife.3423.b" displays the messages:
THE PREDATOR presents the J.TTPOG Virus (c) 1996 SWEDEN!!!!!
THE PREDATOR presents the _ _ _
J.TTPOG VIRUS (c) 1996/03/15 _ _ _
SWEDEN _____ _
And says _ _ _ _ _ _

Home