Virus Database

I-Worm.Potok

Description I-Worm.Potok

This is a family of Internet worms that spreads via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook, and send themselves to addresses that are stored in the MS Outlook Address Book.
The worms are written in the scripting language "Visual Basic Script" (VBS), and they work only on computers on which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worms access MS Outlook, and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Outlook versions is installed.
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:
The Subject: New Generation of drivers.
Message body:
Microsoft hasCards, comp published new driver
for all types Video atible with Windows 95/98/NT/2000/XP.
You can read about it in attachment document.
Best wishes,Microsoft.
Attached file name: "driver.doc .vbs"
The file extention (".vbs") is separated by lots of spaces and sometimes may not be displayed.
Depending on the system settings, a real attached-file extension (".vbs") may not be shown. In this case, the attached-file filename is displayed as "DRIVER.DOC".
Upon being activated by a user (by double clicking on the attached file), the worm creates its exact copy in the WINDOWS directory with the "driver.doc .vbs" name.
The worm checks whether the file system is NTFS, and if it isn't, it exits. If the file system is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory, and associates four additional NTFS streams with it.
If the filesystem is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory and associates four additional NTFS streams with it.
group - adds a user to the system
mail - sends a worm's copies using Outlook
main - main part of the worm
user - adds a user to the system
Then the worm creates a temporary file ("go.vbs"), which assembles all parts of the worm into one file ("notepad.vbs"), and launches it.
The part of the worm launched from NOTEPAD.VBS sends its copy to the first 50 e-mail addresses in the Outlook address book. After mailing, the worm checks whether the operating system is Windows 2000, and if it is, adds a new user with the name "Lord_Nikon" to system.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.an

Description I-Worm.Bagle.an

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.al
It is compressed using PEX; the compressed file is 18436 bytes in size, and the uncompressed file is 24068 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
Attachment contents:
fotofoto.html fotofotofoto1.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Remote administration
The worm opens port 82 and listens for commands. This makes it possible for the author of the worm to download and launch files on the victim machine.
Other
File names, registry key values and the routines for propagating via file-sharing networks are identical to those of I-Worm.Bagle.al
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

I-Worm.Bagle.ao

Description I-Worm.Bagle.ao

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.an
It is compressed using PEX; the compressed file is 174924 bytes in size, and the uncompressed file is 23556 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
The attached archive is 4558 bytes in size.
Attachment contents:
foto.html 1calc.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Other
File names, registry key values, remote administration functions and the routine for propagating via file-sharing networks are identical to those of I-Worm.Bagle.an
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

Home