Virus Database

Killme.1972

Description Killme.1972

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. On 13 of July the virus erases all executing files. On 15 of July it displays the text:
The KillMe Virus Ver 1.0 199?. By Noh.K.S.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.j

Description I-Worm.Bagle.j
This worm spreads via the Internet as an attachment to infected messages, and also via file sharing networks. It is packed using UPX; the size of the compressed file is 12843 bytes, and the size of the uncompressed file is 49707 bytes. The worm may write nonsense to the end of the file, in which case the size of the file will differ from the size shown above.
This current version is almost identical to I-Worm.Bagle.i, and differs only in the following insignificant ways:
The text of the message sent to the author of NetSky has been changed:
"Hey, NetSky, fuck off you bitch!"
The name of the file which the worm writes itself has been changed, and correspondingly, so has the value of the system registry key:
File name:
winsys.exe
Registry key:
[HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run]
"ssate.exe" = "%system%winsys.exe"

I-Worm.Bagle.s

Description I-Worm.Bagle.s
Bagle.s is an Internet worm spreading as an attachment to infected emails.
The worm is a PE exe file about 8 KB in size. Bagle.s is compressed by FSG and the unpacked file is about 37KB in size.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
random characters
Attachment file type:
.exe
Installation
After launch Bagle.s copies itself into the Windows system registry as gigabit.exe and registers this file in the system registry autorun key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"gigabit.exe" = "%system%gigabit.exe"
Bagle.s then creates the key:
[SOFTWAREWindows2004]
"gsed"
where it stores it's variables.
Bagle.s also launches mshearts.exe - The Miscrosoft Hearts Network.

Finally, Bagle.s attempts to connect to several remote sites and store id information from the infected machine on these sites.
Propagation
Bagle.s searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends copies of itself to all email addresses detected in these files using an inbuilt SMTP-engine.
Remote Administration
Bagle.s opens and monitors port 4751. The inbuilt backdoor function allows the master to:
Execute commands
Download files

Home