Virus Database

I-Worm.Paukor

Description I-Worm.Paukor

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 450Kb in length, and is written in Delphi. The worm has several components (main and additional) described below.
The infected messages have an attached FILES.EXE file (the worm itself), and have different text fields that are randomly selected by the worm from several variants (see below).
The first and last lines in the message body are:
first line in Body is randomly selected from "Hi!" or "Hello,"
the last line in Body is also randomly selected from empty line, or
"Regards,"
"Your friend,"
"Best Regards"
"Kind Regards"
and is completed with %UserEmailName% (user's display name in email messages)
The Subject and Body variants are:
Subject: Your loved one in indecent pictures :(
Body:
Hi! or Hello,
I'm sorry I have to send you these compromising pictures with the one you love, or you loved. You will know where they were taken as soon as you see them.
I' compressed it as a self extracting archive because I din't knew if you have WinZip. When you run it, it should display the extract dialog. I'm really sorry I had to be the one who told you about this.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Surprise for you!
Body:
Hi! or Hello,
I have a surprise for you. It's a electronic card made by myself :). It contains some graphics and sound and I had to compress it as self extracting archive. :))
I hope you like it, please see the attached file.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Pictures from the last party
Body:
Hi! or Hello,
Here are the pictures from the last party. Some of them are so funny! I compressed them as self extracting archive as they were too large, over 2.1 Mb! :))
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
Subject: No subject
Body:
Hi! or Hello,
Here are some files related to what we have talk about.
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
The worm is activated from an infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, drops additional components and runs a spreading routine.
Main Component
When the main worm component, FILES.EXE, is executed, the worm installs its other components in the system. These components are created in the Windows directory with the following names:
SYSTRAY.EXE - 66K of length
CWAB.EXE - 341K of length
MSP.DLL - 20K of length

All are Windows PE EXE files and are written in Delphi, as is the main worm file. The EXE files (SYSTRAY.EXE and CWAB.EXE) are executed then by the main worm component. The worm's main component then copies itself (the FILES.EXE file) to the Windows directory, displays a "decoy" message and exits. The message appears as follows:

The CWAB Component
This the worm component, that when run, spreads the worm with e-mail and sends e-mail with a keylog file to the worm host (with an e-mail address at @yahoo.com and @softhome.com).
While sending e-mails, the worm obtains a victim's e-mail addresses from the WAB (Windows Address Book) database, connects to a SMTP server, and sends infected e-mail messages.
This worm component is designed for being run only under the main FILES.EXE worm file. Being run as a stand-alone application, it simply displays the following fake message and exits:

The SYSTRAY and MSP Components
This is a "keylogger" worm component. When run, it registers itself in the registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
then activates the "key-logging" library MSP.DLL, which logs keyboard strokes to a MSP.DAT file in the Windows directory. This file is then sometimes sent to a host e-mail address.
This worm's component has the following "copyright" text strings in it:
PayK Worm
Copyright (c) 2001 by TheShadow
Disclamer: This program has been made for educational and research purposes only.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.SysClock

Description I-Worm.SysClock

This is an Internet worm (virus of the worm type) spreading via e-mails, IRC channels, infecting files on local computers and spreading itself to a local network. It also steals system passwords (PWL files) from infected computers, as well as has many harmless and dangerous payload routines. The worm itself is about 80Kb in size Win32 (PE EXE - Portable Executable) program written in Delphi, the "pure" worm code occupies about 20Kb and the rest is Delphi runtime library code, data, and the program's miscellaneous information.
The worm arrives as an e-mail with a fake message (see below) and attached PKZIP.EXE file that is the worm program itself. When the worm is executed, it installs itself into the system, infects files on a local drive, infects available logical drives, infects installed mIRC client, and sends infected e-mails by using the Eudora mail system.
Installing into the system
To install itself into the system, the worm copies itself with the KERNEL.EXE name into the Windows directory (on Win95/98 machines) or to the Windows system directory (on WinNT), and registers itself in the system registry auto-run key:
SOFTWAREMicrosoftWindowsCurrentVersionRun SysClock=kernel.exe

The worm also has an additional installation routine that installs the worm copies to all available drives. This routine is described below.
Infecting a computer
The worm is able to infect about 40 files on a computer, and infects no more than four files on each run. The worm infects files in the Windows directory:
NOTEPAD.EXE, CALC.EXE, DEFRAG.EXE, SCANDSKW.EXE, WRITE.EXE, WINIPCFG.EXE,
SCANREGW.EXE, DRWTSN32.EXE, NTBACKUP.EXE, REGEDT32.EXE, TASKMGR.EXE,
USRMGR.EXE

The worm then infects programs that are associated with registry keys:
SOFTWAREClassesAccess.Application.8 shellopencommand
SOFTWAREClassesAudioCD shellplaycommand
SOFTWAREClassesAVIFile shellplaycommand
SOFTWAREClassescdafile shellplaycommand
SOFTWAREClassesChat shellopencommand
SOFTWAREClientsNewsForte Agent shellopencommand
SOFTWAREClassesExcel.Sheet.8 shellopencommand
SOFTWAREClassesftp shellopencommand
SOFTWAREClassesgiffile shellopencommand
SOFTWAREClasseshlpfile shellopencommand
SOFTWAREClassesEudora DefaultIcon
SOFTWAREClassesEudora shellopencommand
SOFTWAREClassesMicrosoft Internet Mail Message shellopencommand
SOFTWAREClassesMicrosoft Internet News Message shellopencommand
SOFTWAREClassesMOVFile shellopencommand
SOFTWAREClassesMsi.Package shellopencommand
SOFTWAREClassespcANYWHERE32 shellopencommand
SOFTWAREClassesQuickView shellopencommand
SOFTWAREClassesRealPlayer.RAM.6 shellopencommand
SOFTWAREClassesWinamp.File shellopencommand
SOFTWAREClassesUnfinished Download shellopencommand
SOFTWAREClassesUltraEdit-32 Document shellopencommand
SOFTWAREClassesWhiteboard shellopencommand
SOFTWAREClassesvcard_wab_auto_file shellopencommand
SOFTWAREUlead SystemsUlead PhotoImpact4.0PathIeEdit.exe
SOFTWAREKasperskyLabComponents102EXEName

While infecting each file, the worm uses the companion infection method: it renames a victim file with eight-bytes randomly named and .EXE extension (for example: GTGUQPPA.EXE, XOHSKVXQ.EXE, etc.) and places itself with the name of original file. As a result, the worm copy will be executed each time a user or system runs the infected file.
To return control back to the host file, the worm stores the file names in the registry key HKCUAppEventsSchemesApps.DefaultSystemStartWindows, for example:
C:WIN95calc.exe "gtguqppa.exe"
C:WIN95mplayer.exe "xohskvxq.exe"
e.t.c.

This information can be used to disinfect the computer.
To detect already infected files, the worm uses the FileVersion that is stored in PE EXE file resources. In infected files, this variable is set to "1.3.5.7".
Infecting local and network drives
The worm also copies itself and "registers" to available logical drives: removable, fixed and network. While infecting removable files, the worm looks for the AUTOEXEC.BAT file on them, adds an instruction to run the PKZIP.EXE file upon loading from the drive, and copies itself to the drive with the PKZIP.EXE file name.
Upon infecting hard drives, the worm looks for the PKZIP.EXE file in the root directories on these drives, and copies itself with this name if such a file does not exits there. To run this file, the worm creates the AUTORUN.INF file on the drive and writes a block of instructions to there to run the PKZIP.EXE file (worm copy) upon the next Windows star-tup:
[autorun]
open=pkzip.exe

While infecting a remote drive, the worm first of all checks this drive for written permission. To do this, the worm creates the TEMP9385.058 file in there, and deletes it. In case no errors occurred during operation, the worm continues spreading to the drive. It copies itself to there with the PKZIP.EXE name and creates the AUTORUN.INF file in the same way as while affecting fixed drives on local computer. In addition, the worm looks for Windows and WinNT directories on the drive and registers its PKZIP.EXE copy in the WIN.INI file in [windows] "run" instruction. This operation also causes worm-copy execution on the next Windows start-up.
While infecting network drives, the worm also destroys several executable files there, if they exist, and overwrites them with its copy:
Acrobat3ReaderAcrord32.exe
Eudora95Eudora.exe
Program FilesMicrosoft OfficeOfficeOutlook.exe
Program FilesInternet ExplorerIexplore.exe
Program FilesWinZipWinZip32.exe
Program FilesMicrosoft OfficeOfficeWinWord.exe
Program FilesNetscapeProgramNetscape.exe

Infecting mIRC client and spreading via IRC channels
This routine is executed depending on the system time, not each time the infected files run. It looks for mIRC client installed in the system by accessing mIRC script file in the directories:
C:MIRCSCRIPT.INI
C:MIRC32SCRIPT.INI
C:Program FilesMIRCSCRIPT.INI
C:Program FilesMIRC32SCRIPT.INI

If no such files exist, the worm leaves infection routine. Otherwise it overwrite the SCRIPT.INI file with instruction that sends the C:PKZIP.EXE file to everybody entering the affected channel.
Sending infected emails
This routine is executed depending on the system time, as well as mIRC infection routine. First of all the worm gets the Eudora directory name by accessing the registry key: SoftwareQualcommEudoraCommandLine. The worm then scans the Eudora outgoing mails database (the OUT.MBX files), gets addresses from there and stores them in the list the infected message will be sent to. It seems that the worm also adds the "support@microsoft.com" email address to this list.
The worm then prepares the C:USER.MSG file that will be used then to initialize Eudora sendmail system. The worm writes to there all necessary data to send the message with infected attach:
To: addresses list from OUT.MBX file, plus "support@microsoft.com"
Subject: here's what u requested
X-Attachments: c:pkzip.exe;
Message body:
You had requested this a while back, so here you are.
enjoy.

The worm then opens the C:USER.MSG file by a Windows function that activates Eudora sendmail.
Stealing password files
While installing into the system and infecting files the worm also looks for Windows password files (.PWL files), reads passwords data from there and attaches to infected file body.
The worm does not send the passwords to any Internet address, but just keeps them attached to the infected files. As a result the stolen passwords leave the computer only in case the worm spreads its copies to Internet or IRC channels.
Payload routines
The worm has many payload routines that are activated depending on the system date and time. The worm by these routines:
- Halts the computer by launching unlimited number of threads.
- Overwrites the .DEFAULTSoftwareMicrosoftRegEdt32Settings registry key with "AutoRefresh=0" value.
- Changes the Internet Explorer settings. By rewriting the SOFTWAREMicrosoftInternet ExplorerMain registry keys the worms sets the "Start Page" to "http://www.whitehouse.com/" and "Search Page" to "http://www.bigboobies.com", and disables Internet cache updating.
By rewriting the SOFTWAREMicrosoftInternet ExplorerSearchUrl and SOFTWAREMicrosoftInternet ExplorerTypedURLs registry keys the worm sets the "http://www.gayextreme.com/queer/handle-it.html" Web page to first position of recently used Web pages; sets "SearchURL" to "http://www.fetishrealm.com/fatgirls/pic3.htm";
- By rewriting the SoftwareMirabilisICQBookmarks registry key sets:
"Main Page" to "http://www.biggfantac.com/terra/index.html",
"Customer Support" to "http://www.pornoparty.net"
"Menu" to "http://www.gayextreme.com/queer/handle-it.html"

- Deletes all keys from
SOFTWAREMicrosoftWindowsCurrentVersionUninstall or
SOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones
- Sets Windows settings:
RegisteredOwner = "Idiot with a Virus"
RegisteredOrganization and ProductID = "Registry Rage Virus L1999"

- Creates C:POEM1.TXT or C:POEM2.TXT files, writes one of the texts to there (see below), and opens them with NOTEPAD.EXE. The texts looks as follows:
To earn for the body and the mind whatever adheres and goes forward
and is not dropt by death;
I will effuse egotism and show it underlying all, and I will be the
bard of personality,
And I will show of male and female that either is but the equal of
the other,
And I will show that there is no imperfection in the present, and
can be none in the future,
And I will show that whatever happens to anybody it may be turn'd to
beautiful results,
And I will show that nothing can happen more beautiful than death all
- Walt Whitman
Nothing divine dies. All good is eternally reproductive. The beauty of
nature reforms itself in the mind, and not for barren contemplation,
but for new creation.
All men are in some degree impressed by the face of the world; some men
even to delight. This love of beauty is Taste. Others have the same love
in such excess, that, not content with admiring, they seek to embody
it in new forms. The creation of beauty is Art.
- Ralph Waldo Emerson

The worm's payload routines also erase or modify miscellaneous Windows settings, minimize Backup and ScanDisk settings, erase Registry backup, e.t.c.

I-Worm.Sysid

Description I-Worm.Sysid

This is an Internet worm that spreads in infected e-mails by using MS Outlook. The worm itself is a Windows executable written in Delphi and compressed by Aspack PE EXE compression utility. The worm's file size (compressed) is about 200K, the original (uncompressed) size is about 400K.
The worm installs itself into the system, and then periodically accesses MS Outlook and sends infected messages. There are no payload routines found in the worm code.
The worm hides its activity pretending to be a "Personal ID Generator" utility. This utility uses strings in Chinese coding, so it cannot be truly visible under non-Chinese Windows.
At the same time as the worm displays the "Personal ID Generator" window, it installs itself into Windows. To do this, it gets the names of the Windows and Windows system directories and copies itself to there with the "SYSID.EXE" name. In case the worm cannot detect the Windows directory, it uses hard-coded names:
C:WINNTSYSTEM32SYSID.EXE
C:WINNTSYSID.EXE
C:WINDOWSSYSTEMSYSID.EXE
C:WINDOWSSYSID.EXE
To run each time Windows starts, the worm registers its copy in the system registry in the auto-run section:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WindowsVersion = "sysid"
The worm uses a trick to hide this record. Upon being activated, the worm deletes that record from the registry, and upon exiting, restores it. To stay active as long as possible, the worm leaves its copy in the Windows memory as a hidden application (service). So the worm is active up to the moment Windows is shut down, and worm's record in the system registry is not visible. At the moment Windows is shut down, the worm restores the registry record.
As a result, the worm record cannot be read by standard RegEdit - it simply does not exist when Windows has completed its start-up procedure, and up to the moment Windows is rebooted:
Upon each restart, Windows gets a worm file name from the system registry and runs it; the worm then deletes that record and stays in the system memory awaiting Windows restart. At that moment, the worm's registry record does not exist.
Upon Windows shut down, the worm restores its registry record, and it is ready to run the worm again upon the next Windows restart. At that moment, the registry record exists, but it cannot be read by standard utilities.
To spread via e-mail messages, the worm runs a file helper. This file is a VisualBasicScript application, and is created by the worm in the Windows system directory with the WINVER.VBS name. The VBS program in this file gains access to MS Outlook, obtains randomly selected names from the AddressBook, and creates and sends messages to these addresses. The number of addresses infected depends on the total number of addresses in the AddressLists. In case there is less than 200 addresses, the worm sends messages to 10% of them; otherwise, (more than 200 messages) the worm sends infected e-mails to 2% of them.
The infected message body is empty. The message Subject is randomly selected from all subject variants found in the "Sent items" Outlook list.
The message has four attached files. First is the worm EXE copy with a name randomly selected from 100 variants (see below); second, the attached file is randomly selected from .JPEG, .JPG, .DOC and .XLS files found in "C:My Documents" folder. Two other attached files are e-mail messages randomly selected from the "Sent items" list.
The list of possible worm EXE names appears as follows:
pdd2000.exe
Tools.exe
Pcc99.exe
98fix.exe
Book.exe
Phone.exe
Car.exe
Game.exe
Office98fix.exe
Graphics.exe
ScreenSaver.exe
Joke.exe
Window.exe
Mp3Player.exe
WinAmp.exe
Mouse.exe
FTP_Pro.exe
WWW.exe
Ghost7.exe
MazeGame.exe
3DS.exe
Source.exe
Action.exe
Color.exe
Color_Joke.exe
GameStyle.exe
HAHA.exe
MyResume.exe
EasyGame.exe
Jonny.exe
BallGame.exe
MazeGame.exe
MAC9.exe
Desk_Demo.exe
Girl.exe
GirlGame.exe
GoodGame.exe
FreedMan.exe
Hurry Up.exe
Take a Rest.exe
Take Easy.exe
Do not over time.exe
Meeting.exe
Milk.exe
PlayBoy.exe
BadGirl.exe
BadBoy.exe
PenHouse.exe
Tape.exe
Display.exe
Click Me.exe
Apple.exe
New Product Show.exe
My Resume.exe
Boss Game.exe
Boy and Girl.exe
WinZip9.exe
Good Job.exe
New Language.exe
Key User.exe
My Letter.exe
My Sister.exe
My Mother.exe
My Father.exe
My Picture.exe
Merry.exe
Happy.exe
Happy New Year.exe
How Are You.exe
586 Tech.exe
Cell Phone.exe
Sex Picture.exe
The Young King.exe
Oscar.exe
The Happy Prince.exe
The Star Child.exe
Question.exe
Issues For Today.exe
Acknowledgments.exe
Game99.exe
True or False.exe
Good Art.exe
News.exe
Stock News.exe
Music.exe
MP3.exe
Choose Games.exe
Life-Styles.exe
Life-Cycles.exe
Sometimes.exe
Summary.exe
Market.exe
MP3 Tools.exe
Cheat.exe
New Joke.exe
New System.exe
New Job.exe
New Chance.exe
Make More Money.exe
Help Yourself.exe

Home