Virus Database

Lamego.722

Description Lamego.722

These are relatively harmless memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed. While installing into the system memory, the viruses also infect the C:COMMAND.COM file. In August, the viruses decrypt and display the following message:
(C) Virús LAMEGO 1.0
Cópia de virús ilegal all

The viruses also contain the text strings:
C:COMMAND.COM
*LAMEGO*

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.e

Description I-Worm.Bagle.e
This worm spreads via the Internet as a file attached to infected emails. The worm itself is a PE EXE file of approximately 17KB, packed using PEX. The unpacked file is approximately 27KB in size.
Infected messages have the following characteristics:
Message header (chosen from the list below):
Accounts department
Ahtung!
Camila
Daily activity report
Ello!
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment Weekly activity report Wellall
You are dismissed
You really love me? he he
Message body (chosen from the list below):
Cya
Empty
Everything inside the attach
Look it through
Request
Response
Subj
Attachment:
The attachment is a zip file which a name consisting of a random combination of a, b, and c (e.g. cdda.zip). Inside the .zip file is an .exe file with a random name, containing a text file icon.
Installation
Following installation, the worm copies itself and its components to the Windows system directory, under the names "i1ru74n4.exe", "godo.exe", "ii455nj4.exe", and "i1ru74n4.exeopen". It registers "i1ru74n4.exe" in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"rate.exe" = "%system%i1ru74n4.exe"
The worm also creates the registry key:
[HKCUSOFTWAREDateTime4]
and saves its variables in the key.
The worm attempts to connect to several sites and save information about the infected victim computer on these sites.
The worm also creates a mutex imain_mutex to flag its presence in memory.
Propagation
The worm searches for files with the following extentions:
adb
asp
cfg
dbx
eml
htm
html
mdx
mmf
nch
ods
php
pl
sht
txt
wab
harvests email addresses, and then sends itself to all addresses found. To send messages, the worm uses its own SMTP server.
Remote administration
The worm opens port 2745 and tracks port activity. The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
Other
The worm attempts to counteract antivirus programs by terminating the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
The worm is programmed to cease propagation after 25th March 2004.

I-Worm.Bagle.f

Description I-Worm.Bagle.f
This worm spreads via the Internet as a file attached to infected messages. It also spreads via file-sharing networks.
The worm is a PE EXE file of approximately 21KB, packed using PEX. The unpacked file is approximately 35KB in size.
The worm also sends copies of itself in a password protected ZIP file. In this case, the password is given in the message body.
Infected messages have the following characteristics:
Message header:
^_^ meay-meay!
^_^ mew-mew (-:
Aline
Anna
Audra
Bad girl
Barbi
beautiful
Caitie
caroline
ello! =))
Fotograf
Gallery photos
groom
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Jammie
Juli
Julie
kate
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
My beautiful person
My Name is Frenk
My photoalbum
My photos
Myphotos
Photoalbum
rebecca
Rena
Sara
stacy
Tammy
Wauall beautiful (-:
Weah, hello! :-)
Weeeeee! ;)))
Message body:
Argh, i don't like the plaintext :)
Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
i love to chat to just about anyone!!
I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.
If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I want I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
Looking forward for a response :P
Love the outdoors, literature, writing, and athletics My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together You don't know what you've got till it's gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?
Attachment name
Aline
Anna
Audra
Bad girl
Barbi
Caitie
caroline
Gallery
It_I
Jammie
Juli
Julie
kate
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
myfotos
Photoalbum
Photomontage
Picture
rebecca
Rena
Sara
stacy
Tammy
Attachment extension:
exe
scr
zip
If the worm is sent as a ZIP file, the following message text will be found at the end of the message:
archive password:
pass:
password:
password for archive:
Installation
Following installation, the worm copies itself and its components to the Windows system directory under the names "i1ru54n4.exe", "go54o.exe", "ii5nj4.exe", "i1ru54n4.exe" open and registers "i1ru54n4.exe" in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"rate.exe" = "%system%i1ru54n4.exe"
It also creates the following registry key:
[HKCUSOFTWAREWinword]
"frun"="1"
The worm attempts to connect to several remote sites, and saves information about the infected computer on these sites. The worm also creates a mutex called imain_mutex to flag its presence in memory.
Propagation
The worm searches for files with the following extensions:
adb
asp
cfg
dbx
eml
htm
html
mdx
mmf
nch
ods
php
pl
sht
txt
wab
and sends itself to all email addresses which it finds in these files. It uses its own SMTP server to send messages.
Propogation via P2P
The worm searches for directories which contain shar and copies itself several times to all directories found, under the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens port 2475 and tracks port activity. The backdoor function makes it possible for commands to be executed and files to be downloaded on the victim machine.
Other
The worm attempts to counteract the updating of antivirus programs. It terminates the following system processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
The worm is programmed to cease propagation after 25th March 2004.

Home