Virus Database

Kvapavka.879

Description Kvapavka.879

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. On 27 of any month the virus displays the message:
Kvapavka by SH-Software (c) 1995 v 1.2

The virus also contains the text strings:
I`love PC Revue ! I'NEED JOB !.*.COM Infector.>><<
Fuck of SPS Brezno.VIVAT Z./n.HronomFor M.Trnka SHSJ

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Puron

Description I-Worm.Puron

This is a virus-worm that spreads via infected e-mails, and infects Windows EXE files on computers. The worm's routines have bugs, and in some cases, halt the computer and/or corrupt files while infecting them.
The worm code has the "copyright" text strings:
(c)Vecna
Vecna is a punk rocker nowall
Infected File Run
The worm can enter a computer via infected e-mails from the local network or from any other infected file that is executed.
When the worm starts, it extracts from an infected file its "main" code (that is "pure" virus code - Win32 PE EXE file 9.5 Kb of size), saves it to the Windows TEMP directory with a randomly selected name (for example, LNBAMKON.EXE, MMCAAHAN.EXE) and executes that file.
When the virus' "main" code gains control, it moves its file to the Windows directory that is referenced in the Registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
Common Startup = %startup%
The %startup% directory name depends in Windows version, for example:
Documents and SettingsAll UsersStart MenuProgramsStartup
%WindowsDir%All UsersStart MenuProgramsStartup
The worm moves itself to that %startup% directory with a random name that has eight randomly selected digits and an .EXE extension, for example:
00544102.EXE
17060133.EXE
37154273.EXE
The worm then executes that copy in the "Startup" directory, and deletes the first copy in the Windows TEMP directory, for example:
C:VIRUS.EXE - infected file is run
C:WINDOWSTEMPMMCAAHAN.EXE - 1st copy is created and run
C:WINDOWSAll UsersStart MenuProgramsStartup0544102.EXE - this is 2nd copy, it is created here and executed. The 1st copy is deleted then.
Because of a bug, in some cases, the worm crashes in the middle of this process, and the 1st copy is left in the TEMP directory.
When this "file moving" process is complete, the worm installs a "stealth" hook, and runs the infection and e-mail spreading routines.
Infection
The infection routine when gains control, searches for a .EXE and .SCR Windows executable file on all local and network drives, and infects them. While infecting, it obtains a block from the file middle, compresses it, and stores the compressed data and worm code in the file so that the file length does not increase.
The worm also uses a polymorphic mutation engine to make the detection and disinfection process more complex.
E-mail spreading
To spread itself, the worm connects to a SMTP mail server, and sends infected messages to e-mail addresses. Both the SMTP server name and e-mail addresses, the worm obtains from WAB data files (Windows Address Book).
The infected messages are of HTML format and have fields:
From: "Mondo bizarro" [mourning@obituary.org]
Subject: Joey is dead, man... :-(
Text: A tribute to Joey Ramone (1951-2001)
Attach: ramones.mp3.exe
The worm uses one of the security vulnerabilities (Vulnerability identifier: CAN-2001-0154) that were found in MS Windows in 2001. The result of this breach is the possibility of spawning an attached EXE file without a user's action. When an infected e-mail is opened for reading or preview, the worm's EXE file is automatically run.
Microsoft already has released a patch that eliminates this vulnerability. Additional information may be found here: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Stealth
The worm hooks FindFile and FindProcess Windows system calls (FindFirstFileA, FindNextFileA, Process32First, Process32Next). The worm processes these calls so that its copy in the "startup" directory (see above) is not reported. As a result, the worm file is not visible in files and processes lists.

I-Worm.Quamo

Description I-Worm.Quamo

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57Kb in length, and it is written in Visual Basic Script.
The infected messages contain differing subjects, bodies and attached-file names that are randomly selected from the following variants:
Subjects:
Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

Bodies (one-line texts):
Hey you, take a look at the attached file. You won't believe your eyes when you open it!
You like games like Quake? You will enjoy this one.
Did you see the pictures of me and my battery operated boyfriend?

as well as (multiline texts):
My best friend,
This is something you have to see!
Till next time

Is Internet that safe?
Check it out

Attached file:

Infected file run
The worm activates from an infected e-mail only when a user clicks on the attached file, displaying the following:

At the same time, the worm installs itself to the system. In the event that the [Next] button is pressed, nothing happens (except installation of the worm's copies to the system), and the worm's application simply terminates. When the [Cancel] button is pressed, the worm starts its e-mail spreading routine.
Installing
While installing into the system, the worm creates the new directory C:EIRAM, and copies itself using the following names:
c:eiramquake4demo.exe
f:quake4demo.exe (if this drive exists)

and then registers these files in the Registry auto-run keys:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
"quake"="c:eiramquake4demo.exe"
"Q4"="f:quake4demo.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Q4"="c:\eiramquake4demo.exe"
"quake"="f:quake4demo.exe"

Later, while sending e-mail messages, the worm also may create more of its copies in the Windows directory:
honey.exe
quake4demo.exe
setup.exe

Spreading
The e-mail spreading routine is activated only when a user presses the [Cancel] button in the message box (see above).
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Payload
Upon each start, the worm activates its payload routine, which searches for the following files: *.exe, *.xls, *.doc, *.mdb, *.htm, *.html, *.txt, *.ocx and overwrites them with the following text:
You've didn't protected your files well enough
Let this be a lesson! Never trust someone else
eiram 1999-2001

Home