Virus Database

IRC-Worm.Tetris

Description IRC-Worm.Tetris

This is an IRC worm that spreads via IRC channels. The worm itself is a Win32 application about 70Kb in size. It has two main routines: infection and game, both of which are activated upon infected-program running. The first one infects a computer so that it will spread the worm copies further to IRC chats; the second one displays a "Tetris" game that is used to mask the worm's activity: this routine emulates real and complete "Tetris"-like game.
To spread itself, the worm looks for an mIRC client in four directories:
C:Mirc
C:Program Filesmirc
D:mirc D:Program Filesmirc
If one is found, the worm creates additional files:
C:Windowsscript.bak - mIRC script program
C:ackup.vbs - VBS program that later will complete installation
C:Windowssystem.exe - copy of worm EXE file
The "C:ackup.vbs" is then registered in the auto-run registry key as:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SysFile = C:Backup.vbs
As a result, it is run each time the system starts up, and then copies files:
C:Windowsscript.bak to mIRC directory with "script.ini" name
C:Windowssystem.exe to C: etris.exe
The "script.ini" file is a short mIRC program that sends C: etris.exe file to everybody who enters infected channel.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Nickser

Description Backdoor.Nickser
Nickser is a backdoor trojan program. The trojan itself is a Windows PE EXE file about 136KB in length (when compressed by TeLock, the decompressed size is about 270KB). It is written in Microsoft Visual C++.
When run the backdoor copies itself under the name lsass.exe name to the Windows directory and registers itself in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
UserInitialization = %WinDir%lsass.exe

Nickser then reads its "master's" instructions from an encrypted script file located on the Web at http://go.xmain.da.ru.
The backdoor routine performs the following actions:

- gets a file from requested URL
- runs a command or specified local file
- performs DoS attack to requested victim address
- terminates itself
- joins IRC channel
- opens local drives as FTP site
- e.t.c.

Backdoor.Padodor.w

Description Backdoor.Padodor.w

also known as TrojanSpy.Win32.Qukart
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original Padodor backdoor source code was used to create this variant, but the backdoor functionality was removed. Padodor/Qukart steals personal information including credit card numbers, logins and passwords that a user types and other sensitive data. The Padodor.W variant was found early on June 25th, 2004 as a result of the Scob incident investigation.
http://www.f-secure.com/v-descs/scob.shtml
Detailed Description
The trojan's file is a PE executable 51712 bytes long. The trojan's file is encrypted and the decryption routine is polymorphic. Every time the trojan installs itself, it changes its decryptor, so its file will look different after every installation. The trojan was created using Padodor backdoor code. There's some discussion now as to whether HangUp Team was involved. Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents. Up to .G variant of Padodor their copyright was in the backdoor files
In the later variants of the backdoor the copyright string was removed, but the project name "padonok" (an incorrectly spelled Russian word "podonok" that means "scum") remained.
Installation to System
When the trojan's file is run, it installs itself to the system. It copies its file to Windows System directory with a random name that can contain '32' in the end. The name can be for example 'amackg32.exe'. Also the trojan extracts and writes a small DLL file to Windows System folder. That file also has a randomly generated name that can contain '32' in the end, for example 'bnldnl32.dll'. That DLL file is a starter for the dropped trojan's executable file. It already contains the name of the dropped trojan file - it is inserted there before extraction.
Then the trojan creates a few Registry keys:
[HKCRCLSID{79FEACFF-FFCE-815E-A900-316290B5B738}InProcServer32]
@ = "%WinSysDir%.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder and represents a randomly generated file name. As a result, the DLL gets loaded every time Windows starts and it activates the trojan's file.
Also the trojan creates the following Registry key value:
[HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it at startup to avoid loading several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder and writes the computer name and user name there every time it activates.
Theft of passwords and credit card numbers
When the trojan is active, one of its threads is constantly looking for the following text strings in Microsoft Internet Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the trojan tracks the user's login and password and saves it to a file called DNKK.DLL located in Windows System folder. Then the trojan can show a fake webform and ask a user to select his/her credit card type, input his/her full name, credit card number, expiration date, CVV2 code and ATM PIN. The collected data is stored in a file called KK32.DLL file located in Windows System folder.
The trojan creates a thread that periodically creates or changes the following Registry keys:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones]
"1601" =
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"GlobalUserOffline" =
[HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowseNewProcess]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen data, opens it with Internet Explorer and the data gets submitted to one of the following websites (selected randomly) using a small script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the information, the trojan checks for feedback from the site and if it is a string equal to 'X-okRecv11', the trojan deletes the HTML file and terminates Internet Explorer.
The trojan creates another thread that periodically accesses the following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates an HTML file with a special script. If the index.htm page on these sites contain 'X-okRecv11' string the trojan terminates Internet Explorer and deletes the created HTML file. Otherwise the trojan browses Internet cache files and appends the last used HTML file to the KK32.VXD file located in Windows System folder.
It should be noted that during the operation described above the trojan creates a new desktop called 'blind_user' on an infected computer that a user can not see and then opens Internet Explorer there.
© F-Secure Corporation

Home