Virus Database

Itavir.3187

Description Itavir.3187

This is a very dangerous nonmemory resident parasitic. It scans the subdirectory tree and writes itself to the end of .EXE files that are found. While scanning and infecting the virus uses absolute INT 25h/26h calls, DOS functions Create and Rename file. The virus sets to 60h the attributes of infected files. In some cases the virus erases the disks. The virus also contains the texts:
Zione rada
?OMMAND COM
per questa voltaall......
.......AHI..AHI..AHI.......
Ho proprio l`impressione di essere un Virus
Maligno,......
Molto maligno (naturalmente)
Non vi rimane che da azionare l`interruttore
AUGURI!!!.....................

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.n

Description I-Worm.Mydoom.n

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a PE EXE file of 35,328 bytes in size, packed using ASPack.
It is a copy of I-Worm.Mydoom.m, and differs only in the size of the file and the packing program used.

I-Worm.Mydoom.q

Description I-Worm.Mydoom.q

Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024.
Installation
Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"winpsd"="<Windows System Folder >winpsd.exe"
Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections.
Propagation
Mydoom.q scans the infected machine for files with the following extensions:
txt
htmb
shtl
phpq
aspd
dbxn
tbbg
adbh
pl
wab
Email characteristics
Subject:
photos
Body text:
LOL!;))))
Attachment name:
photos_arc.exe
Payload
Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm:
http://www.richcolour.com/ispy.x.xxx
http://www.richcolour.com/coco3.xxx
http://www.richcolour.com/guestbook/temp/temp587.xxx
http://zenandjuice.com/guestbook/temp/temp728.xxx
If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer]
"InstaledFlashhMX"="1"
Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'.
Other
Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time).
However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.

Home