Virus Database

IRC-Worm.Loa

Description IRC-Worm.Loa

This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:
LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices:
"Life of Agony"="loa.exe"

When the worm locates the MIRC.INI file, it writes to there several instructions that disable the mIRC security settings and creates its script file that contains commands that send the worm's EXE file to the channel.
The worm manifests itself as anti-virus programs that searche and delete the DM-Setup mIRC worm (the worm actually does delete DM-Setup files if they present on disks). It then displays the following messages:
You are about to scan your harddrive for the DMSetup virus, it is
crucial that you run this program without mIRC active, so if you
are still in mIRC at the moment, type /EXIT before you continue.
Press any key if mIRC is not activeall

The worm also displays other messages that depend on the current date:
PowerBit anti-virus v3.34, (C)opyrighted 1999 by PB Systems.
SHAREWARE - REGISTER?
YES!
Scan completed, no viruses were found.
The Ultimate Chaos Website 2 - http://sourceofkaos.com/homes/ultchaos
Visit me...
NOW!
Not detected.
WaReZ SCaNNeR bY oDELiOFiLThY [SuCK]... ViSiT #warez !
SeLF CHeCK:
oKeY
nO WaReZ wErE FoUnD aT DRiVe C: !!!
DrSolomon Anti-Virus Toolkit v10.00 - SPECIAL EDITION -
Scanning memory (DOSUMBHMAXMS)...
No viruses found in memory
No viruses were found.
ScanDisk 2.00, (C)Copyright Microsoft Corp 1981-1998.
Checking critical areas...
OK
No errors were detected.
Anti-Back-Orifice II.A, detects/removes all BO-instances from your system.
Checking registry...
BO was not found in the registry
System clean, visit http://sourceofkaos.com/homes/ultchaos for updates.
TERA SPOOF-INSTALLER VERSION 6.66
Checking shadow-RAM...
located at x0FA56D6A4h
Failed to install spoof, SPSOCK64.DLL missing.
WinGater by Terminatius [Finds installed WinGates at your system].
Locating registry:
REGISTRY.REG
No WinGates found, go to Undernet, #wingater for help.
Thunderbyte virus-detector v9.24, - (C) Copyright 1989-1999 Thunderbyte B.V.
SANITY CHECK:
OK!
No viruses were found.
Anti-Nuke written by cDc - Cult of the Dead Cow.
Checking V86 interrupts...
No polling detected
No nuke-programs found.
LOA''s Kill-DMSetup version 2.2, - SHAREWARE
Checking memory...
OK
Completed!
KILL-CIH v2.0. --> kills all known CIH-strains! <--
Memory check...
passed
CIH has not been detected at your system.

When the worm is started with the /SECRET argument, it displays the following message:
=[ Life of Agony 1.30, (c) 1998 by T-2000 / Immortal Riot ]=
Hi! I am the [LIFE OF AGONY] worm, and I''m gonna fuck you up REAL bad!
LIFE OF AGONY

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sobig.b (aka Palyh)

Description I-Worm.Sobig.b (aka Palyh)

Sobig.b is a worm virus spreading via the Internet as an e-mail attachment. The worm also spreads across local area networks.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by UPX. The file size is about 50KB when compressed (UPX). The decompressed size is about 110KB.
The worm activates from infected email only if a user clicks on the attached file.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name msccn32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe

Because of a bug the worm in some cases copies itself to the wrong directoris (root drive, current directory), but anyway its spreading routines will activate upon the next computer restart.
Spreading: email
To send out infected messages the worm uses a direct connection to the default SMTP server. To get victim email addresses the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives, then retrieves email-like strings from the files that are found.
Following are possible message characteristics:
From:

support@microsoft.com


Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your
Message Body:

All information is in the attached file.

Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm also creates the file hnks.ini in the Windows directory and writes the found email addresses to this file.
Spreading via network
The worm deciphers all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of eligible machines.
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

Updating
The worm downloads files from four Web places (that are "hardcoded" in the worm's body) and executes them. As a result the worm is able to update itself with new versions, and/or install other applications (trojan programs, for example).
Other
All worm routines (except "Updating") are active till May 31, 2003. Meaning the worm does not run its spreading (both email and network) routines after May 31, 2003.

I-Worm.Sobig.c

Description I-Worm.Sobig.c

Sobig.c is a worm virus spreading via the Internet as an infected e-mail file attachment. The worm also spreads via network resources.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by the UPX compression utility. The file's size is about 60K or higher when compressed with UPX, while the decompressed size is about 120K.
The worm is activated from infected email only if a user clicks on the attached file.
When run the worm installs itself to the system and runs a spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name mscvb32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
System MScvb = %WindowsDir%mscvb32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System MScvb = %WindowsDir%mscvb32.exe

Spreading: email
To send out infected messages the worm uses a direct connection to the default SMTP server.
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives. It gets email-like strings from the files that are found.
Message attributes include:
The "From" field has a fake email address that is either found on the particular infected machine or "bill@microsoft.com"
Subject:
Re: Screensaver
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556B37DB6480EC9657E
Re: Approved
Approved78A85131
Re: Your application
Re: Application

Message Body:
Please see the attached file.

Attached file name:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif

The messages are also sent with attached files that have the file name's last letter cut:

screensaver.sc
movie.pi
submited.pi
45443.pi
documents.pi
approved.pi
application.pi
document.pi


The Sobig.c worm also creates the file msddr.dat in the Windows directory and writes to this file the email addresses that were found on the infected machine.
Spreading via networks
The worm accounts for all accessible network resources (other computers in a network) and copies itself into their auto-start directoris (if there are such subdirectories)
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

Updating
The worm downloads files from four Web locations (these locations are "hardcoded" into the worm body) and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or install other applications such as trojan programs and spyware.
Other
All worm routines (except the "Updating" feature) are active until June 8, 2003 only. This means the worm does not run its spreading routines (both email and network) after June 8, 2003.

Home