Virus Database

Linux.Kagob.a

Description Linux.Kagob.a

It is a harmless nonmemory resident parasitic Linux virus. The virus itself is Linux executable module (ELF file). It searches for other ELF files in the system, then infects them.
While infecting the virus moved victim file contents down, and writes itself to file header. To release control to the host file the virus "disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. It body contains the "copyright" text string:
Linux.Kaiowas by Gobleen Warrior//SMF

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Stopin.a

Description I-Worm.Stopin.a

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, decompressed size is about 85K), written in Borland C++.
Infected messages contain:
Subject: Secret for youall
Body:
Hi Friend,
I send you my last work.
Mail me if you have some suggests.
See you soon. Best Regards.
Attachment: My_Work.exe

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory with the MSGDI32.EXE name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft GDI 32 bits = %SystemDir%MSGDI32.EXE
The worm then displays a fake error message and exits:

While installing, the worm also looks for and terminates the following applications:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE

Spreading
Upon next start-up (being run by Registry "Run=" key), the worm activates its e-mail spreading routine. To send infected messages, the worm uses Win32 MAPI functions. To get victim e-mail addresses, the worm looks for and scans the following files:
*.HTM
*.HT*
*.DOC

Payload
On the 7th of any month, the worm displays the following message:

On the 11th of any month, it displays the following text:
Can we try to stop the conflicts ? YES OF COURSE !'
On the 28th, it creates the "StopIntifada.htm" file, writes the following text to there and opens it:
Stop Violence between Palestinians and Israeli
HOW TO STOP THE VIOLENCE
-THE ISRAELIS:
To take the israelis tank out of the palestinians autonomous city.
Don't bomb civil place after a terrorist bomb attack.
To arrest and to kill the leaders of terrorist groups.
-THE PALESTINIANS:
To stop to provoke the israelis army.
To stop the terrorist attacks.
-THE BOTH:
To try to accept the other people.
TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
Thanx to read this.

I-Worm.Suppl

Description I-Worm.Suppl

This is a virus-worm that spreads via Internet channels attached to e-mail messages as the SUPPL.DOC MS Word97 document. It was posted to several newsgroups in September 1999. This document was created by using the Russian MS Word97 edition, which means that the worm has Russian or xUSSR origin.
To install itself to the system, the worm uses a method that does not work under WinNT, and as a result, the worm is able to infect and spread itself from Win9x systems only.
The worm has a very dangerous payload: in one week after infecting a computer, the worm erases, on local and remote drives, the files with the following extensions:
DOC XLS TXT RTF DBF ZIP ARJ RAR

The method of erasing is the same that was used by "ZippedFiles" worm, and damaged files are not recoverable.
Installing
The infected document has just one macro Document_Open that is automatically executed when MS Word opens the document. This macro copies its document to the Windows system directory with the ANTHRAX.INI name, then drops its DLL component (that is stored in the infected document) to the same directory with the DLL.TMP name. This DLL component is dropped via a compressed temporary DLL.LZH file.
The worm then adds renaming instructions to the WININIT.INI file. These instructions rename the WSOCK32.DLL with WSOCK33.DLL name and replace the WSOCK32.DLL with worm's DLL.TMP library. This trick causes Windows to replace its WSOCK32.DLL with a worm copy upon the next Windows restart.
On initializing its DLLs Windows loads infected (worm's) DLL instead of original ones, and as a result, the worm gets access to network functions.
Spreading
On next Windows restart, the infected WSOCK32.DLL is loaded into the system memory and gets control. The worm at this moment gets access and intercepts all necessary library functions that the original WSOCK32 library does. For all of them except two, the worm just forwards requests to original functions, and for this purpose, the worm also loads the WSOCK33.DLL (original library) into the Windows memory.
The two functions are processed by the virus: their names are "send" and "connect". By using these functions, the worm intercepts sent emails from the infected computer, and attaches its copy to these e-mails as the SUPPL.DOC file.

Home