Virus Database

Joke.Win32.IconDance

Description Joke.Win32.IconDance

text written by Alexey Podrezov, Data Fellows
When run, this Trojan minimizes all application windows and starts to change places of the icons on the desktop with incredible speed. The application task can be killed from Task Manager, but icon positions must be restored manually. After the application task is killed, a minimized dialogue box is still present on the screen. The Trojan has the internal (author's) name "IconDance" in French ("Danse des icones").

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Talorm

Description I-Worm.Talorm
Talorm is a worm virus spreading via the Internet as an attachment to infected emails and copies itself to IRC channels. The worm itself is a CHM file (compressed HTML file) about 17KB in length.
Infected messages have the following features:
The Subject Line text is randomly selected from the following variants:
- Fotos de Thalia
- Free Pics
- Fotos XXX de Thalia
- Fotos Exitantes de Thalia

The body text is randomly selected from the following variants:
- Checa estas fotos de Thalia
- Hola que tal? ya viste las super fotos exitantes de Thalia
- Como tas! aqui te mando unas fotos de Thalia
- Para mis mejores Amigos fotos de Thalia
- Fotos XXX de Thalia
- unas fotos bien padres de Thalia
- Imagenes insolitas de Thalia
- Apuesto a que no has visto desnuda a Thalia
- HOLA! TE RETO A CHECAR ESTAS FOTOS BIEN CHIDAS DE Thalia
- Fotos Exitantes de la cantante Thalia

Attach: Thalia.chm

An example of a "Talorm" email message:

The worm activates from infected emails only when a user clicks on the attached file. If this happens Talorm then installs itself to the system and runs its spreading routine.
The worm then overwrites a registry key with new text:
HKLMSoftwareMicrosoftWindowsCurrentVersion
RegisteredOwner = Thalia"

and displays the message:

Installing
While installing the worm copies itself to the Windows directory with the "Thalia.chm" name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Thalia = %WinDir%Thalia.CHM

Spreading: EMail
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in each victim machine's Outlook address book.
Spreading: IRC
The worm looks for the mIRC subdirectory in the "Program Files" directory and writes a new "script.ini" file to this location. This script file has instructions that send worm copies to every user who joins an infected IRC channel.

I-Worm.Tanatos.a

Description I-Worm.Tanatos.a
Tanatos.a, also known as BugBear.a is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines.
The Tanatos worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++.
The infected messages have different Subjects, Bodies, and Attached file names.
The worm sends messages of two types (which it randomly selects). In first case, in order to run from the infected message the worm exploits the IFrame security breach (as a result the worm activates when a message is being opened or previewed in vulnerable (victim) systems). In the second case the worm does not use "breach tricks" and the attached worm copy activates from infected email only in case a user clicks on the attached file. The Tanatos worm got its name from the text string appearing in its code:
Project Tanatos
Installing
While installing the worm copies itself to the Windows system directory under a random name and registers itself in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
The worm's EXE filename depends on the C: volume name, for example:
FYOM.EXE
YOK.EXE

The worm also places a DLL file in the Windows system directory under a random name and uses this file to 'spy' on and record all keyboard input.
Spreading: Emails
To send infected messages Tanatos uses a direct connection to the default SMTP server. Victim email addresses are gotten from the following file types:
*.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX,
*INBOX*
The Tanatos worm searches for these files in the system and extracts email-like strings from them.
The Subject field is selected from the following variants:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Helpall
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!

Additionally, the message Subject can be randomly selected by "Tanatos" from a randomly selected disk file.
The message Body is randomly selected by Tanatos from a randomly selected disk file.
The attached file name is also randomly selected and it may have a double extension, for example:

filename.XLS.SCR

Spreading: Network
Tanatos enumerates network resources shared for writing, looks for the startup folder and copies its file to this folder (if found).
This routine has a bug and the worm also sends copies of itself to shared network printers.
Backdoor
The backdoor routine opens port 36794 where it then listens for "master" commands (from the person or people who are controlling it). The backdoor routine grants control over infected machines, giving those who control Tanatos the ability to send/receive/copy/execute files, terminate processes, send out user info. etc.
Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines.
PSW Trojan
The worm also has a trojan routine that sends user info and cached passwords to several email addresses that are encrypted in the worm body.
Other
Tanatos looks for the following applications and tries to terminate them:

Home