Virus Database

I-Worm.Tanatos.b

Description I-Worm.Tanatos.b
Tanatos.b (aka Bugbear.b) is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos

Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file

Tanatos also creates the following file in the Windows directory: %rnd name%.dat - its internal data file

and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy

Spreading
To send infected messages the worm uses a built-in SMTP engine. The worm searches for victim emails in following files on the available disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX

The infected messages have different Subject, Body, and File Attachment names that are selected from many variants:
Subject:

The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe".

2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

The file name extension is also randomly selected from the same variants:
".scr", ".pif", ".exe".

3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files and uses their full names as the %filename% for the infected attachment. In this case they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif

4. "setup.exe"

The infected emails randomly have the IFrame security breach that runs upon the opening the an infected email. In the rest of the messages the worm activates only when a user clicks on the attached file.
Infecting EXE files
While infecting a file the worm writes itself to the end of the file. The worm's copy is "incorporated" into the victim machine's file structure as a "standard" .EXE file in the "Program Files" directory. Copy names include:
winzipwinzip32.exe
kazaakazaa.exe
ICQIcq.exe
DAPDAP.exe
Winampwinamp.exe
AIM95aim.exe
LavasoftAd-aware 6Ad-aware.exe
TrillianTrillian.exe
Zone LabsoneAlarmoneAlarm.exe
StreamCastMorpheusMorpheus.exe
QuickTimeQuickTimePlayer.exe
WS_FTPWS_FTP95.exe
MSN Messengermsnmsgr.exe
ACDSee32ACDSee32.exe
AdobeAcrobat 4.0ReaderAcroRd32.exe
CuteFTPcutftp32.exe
FarFar.exe
Outlook Expressmsimn.exe
RealRealPlayer ealplay.exe
Windows Media Playermplayer2.exe
WinRARWinRAR.exe
adobeacrobat 5.0 eaderacrord32.exe
Internet Exploreriexplore.exe

in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe

Infecting - networks
The Tanatos.b worm accounts for all network resources, then copies itself to available resource (drives) startup folders using random .EXE names or the name, "setup.exe". The worm also looks for "standard" .EXE files (the same list as above) on shared resource drives, and infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports active applications
- terminates requested application
- runs local file by master's request
- receives a file from master and runs it
- logs keyboard and sends it to master
- opens HTTP server

Other
Tanatos.b terminates active debuggers, anti-virus and firewall processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE
VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE
TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE
SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE
RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE
PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE
NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE
NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE
JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE
ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE
FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE
F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE
DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE
CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE
AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE
AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE
AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE
_AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE

The Tanatos.b worm also gets cached passwords and sends them to its "master".

Check other viruses! Be aware! Use Antiviral Software

Anarchy.9594

Description Anarchy.9594

This is a benign polymorphic memory resident parasitic virus. It hooks INT 9, 21h, 28h and writes itself at the end of COM (except COMMAND.COM) and EXE files that are executed or closed. The header of the infected COM files contains the text strings:
JAN FAKOVSKIJ,USSR,1994
All infected files contain the not encrypted ID-string at their ends:
UNFORGIVON
On 48th infection the virus displays one of the messages (two of them are in Russian) and halts the system:
DIS IS DI END,
BEAUTIFUL FRIENDall
DIS IS DI END,
MY ONLY FRIEND-
DI END.
IT HURTS TO SET U FREE,
BUT U'LL NEVOR FOLLOW ME.
DI END-
OF LAUGHTER & SOFT LIES,
DI END OF NIGHTS...WE TIRED TO DIE...
DIS IS DI END
I WANNA DESTROY DA PASSORS-BY
'CAUSE I
WANNA BE,-
YEAH,- ANARCHY
On pressing [Alt]-[GreyMinus] the virus calls the trigger routine that emulates the file shell a'la Norton Commander and allows to copy, move, delete the files and subdirectories and so on. That routine displays the menu like this one:
3584000

Andreas.1107

Description Andreas.1107

This is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus also searches for COM and EXE files in the current directory and infects them.
On the 19th of any month the virus also hooks INT 9 (keyboard) and on each key decrypts and displays the text "Andreas".

Home