Virus Database

I-Worm.Sonic

Description I-Worm.Sonic

This is a multi-component Internet-worm infecting Win32 machines and spreading in e-mail messages as an attached EXE file. The worm has several components, and is able to "upgrade" itself from an Internet Web site.
There are two principal worm components: Loader and Main component.
The Loader is a Windows EXE file about 25K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches about 70K in size). When the loader is activated on a computer (being run from e-mail attach), it registers itself as a hidden process (service), copies itself to the Windows system directory with the name GDI32.EXE, and registers in the auto-run system registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
GDI = WinSystemGDI32.EXE
where "WinSystem" is the Windows system directory name. As a result, the worm Loader then is executed upon each Windows startup. Note that there are standard Windows components in this directory: GDI.EXE and GDI32.DLL. The worm uses the GDI32.EXE name to disguise itself in a standard Windows environment.
To hide its activity, the worm then displays the fake error message:
FileName n' est pas une application Win32 valide.
where FileName is the actual file name the worm was started from.
The worm then activates the main procedure that obtains and executes the Main component. It enters the http://www.geocities.com/olivier1548/ Web page and obtains several files from there:
LASTVERSION.TXT - a text file with the number of the latest worm version available there. If there is no new version, the worm exits.
nn.ZIP - latest version of worm Main component, "nn" is defined in LASTVERSION.TXT.
GATEWAY.ZIP - latest version of worm Loader component.
The nn.ZIP and GATEWAY.ZIP files are not actually archives, but an encrypted Windows EXE file. The worm Loader decrypts them, copies to the Windows directory and spawns. As a result, the Main component is activated on the computer.
The Main worm component is the Windows EXE file about 40K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches 120K in size). It is installed to the Windows directory with the GDI32A.EXE name and is registered in the system registry in a similar way as described above for the virus loader. The main components then, depending on some conditions, open the Windows Address Book, obtain Inet addresses from there and send infected e-mail messages. In the known worm version, these messages have:
Subject: Choose your poison
Attached file name: girls.exe
The Main worm component also has Backdoor abilities to watch at infected computer and run its resources from remote host machine.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mimail.i

Description I-Worm.Mimail.i
Mimail.i spreads through the Internet in the infected file attachment paypal.asp.scr. The Mimial.i worm is a Windows application file (PE EXE file) that is about 12 KB in size and compressed by UPX. The uncompressed size is about 30KB.
Infected email messages include the following content:
Sender address:
donotreply@paypal.com
Subject:
YOUR PAYPAL.COM ACCOUNT EXPIRES
Body Text:
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with this email address will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Attachement:
paypal.asp.scr
The Mimail.i worm only gains control if a victim opens the file attachment.
Behaviour
Upon being launched the Mimail.i worm displays a dialogue window asking the computer user to supply PayPal credit card data. Any data entered is then kept in the file named ppinfo.sys, which is then sent to the evildoer behind the worm (the worm's author).
Mimail.i then copies itself into the Windows catalogue under the name svchost32.exe and registers itself in the system registry auto-run key with the following entry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SvcHost32 = %windir%svchost32.exe
Mimail.i creates two files in the C: root directory - pp.gif and pp.hta. These files are used to display the dialogue window requesting PayPal credit card information.
The worm creates the following files in the Windows directory:
zp3891.tmp
ee98af.tmp
el388.tmp
Spreading
To mail out infected messages (of itself), Mimail.c uses its own SMTP engine. To detect email addresses to target, the worm searches for address strings contained in files located in the Shell Folders and Program Files directories.

I-Worm.Mimail.j

Description I-Worm.Mimail.j
This worm is a modification of I-Worm.Mimail.i
It spreads via the Internet as a file named InfoUpdate.exe attached to infected messages. The worm itself is a Windows PE EXE file, packed with UPX. The size of the compressed file is approximately 13KB and the size of the decompressed file is approximately 30KB.
Characteristics of infected messages:
Sender's address:
Do_Not_Reply@paypal.com
Message header
IMPORTANT
Message body
Dear PayPal member, We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions. IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment name:
www.paypal.com.pif or InfoUpdate.exe
All other details, such as how the worm installs itself, manifests itself in the system and replicates are the same as I-Worm.Mimail.i

Home