Virus Database

I-Worm.Win32.Fasong

Description I-Worm.Win32.Fasong
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
%rndname%.EXE = %rndname%.EXE

for example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
GMLKU.EXE = C:UTILGMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCRchm.fileshellopencommand (default value = "hh.exe" %1)
HKCRexefileshellopencommand (default value = "%1 %*")
HKCRinifileshellopencommand (default value = "notepad.exe %1")
HKCR egfileshellopencommand (default value = "regedit.exe %1")
HKCRscrfileshellopencommand (default value = "%1 /S")
HKCR xtfileshellopencommand (default value = "notepad.exe %1")

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLMSoftwareMicrosoftWindowsCurrentVersionwin70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Rbot.gen

Description Backdoor.Rbot.gen

Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:
monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
conduct DoS attacks
launch SOCKS and HTTP servers on infected machines
send the user of the program detailed information about the victim machine, including passwords to a range of computer games

Backdoor.Ruledor.c

Description Backdoor.Ruledor.c

This program is part of the backdoor family of malicious programs intended for remote administration.
The victim computer can be remotely controlled and caused to execute the commands described in the file http://sds.cl**ch.com/ie/control.dat. The program downloads this file when starting.
Backdoor.Ruledor.c can also download and install other programs unnoticed.
Some incidents have been detected where a wide range of AdWare and Trojans have been downloaded and installed.
Installation
The program creates the directory ClearSearch in the Program Files folder, copies itself to this directory under the name loader.exe and registers as an autorun key in the system registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Other
When the system is started, the program deletes all Browser Helper Objects (BHO) not installed by the program.

Home