Virus Database

Liza.874

Description Liza.874

This is a relatively harmless memory resident multipartite virus. It hooks INT 1Ch and 21h, and writes itself to the MBR sector of the hard drive and to the end of EXE files that are created. After starting in a file, the virus writes itself to the MBR sector. It contains the following text strings:
[Serg Enigma]
Liza
34?-4732

The virus does not manifest itself in any way.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Lovgate.a

Description I-Worm.Lovgate.a

I-Worm.Lovgate.a (aka Supnot.a) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a backdoor routine. There are several worm variants known which are very similar to each other.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by AsPack.
The compressed file size is about 85K, decompressed size - about 200K.
The worm activates from infected email only when a user clicks on the attached file. While spreading through local area networks the worm tries to run its remote copies by using WinNT functions.
When run the worm installs itself to the system, runs its spreading and backdoor routines.
Installing
While installing the worm copies itself to the Windows system directory under several names and registers these files in the system registry auto-run key (under WinNT) and/or in the "run" command in the WIN.INI file (under Win9x).
Worm copies have the following names:
rpcsrv.exe
syshelp.exe
winrpc.exe
WinGate.exe
WinRpcsrv.exe
The registry keys are:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"Run"="rpcsrv.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"syshelp"="%SystemDir%syshelp.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinGate initialize"="%SystemDir%WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

[HKCR xtfileshellopencommand]
"winrpc.exe %1"
Spreading: email
To spread in emails 'supnot' uses two different methods:
1. The worm looks for "*.HT*"-files (HTM, HTML) in the current directory, Windows directory and the "My Documents" directory (including subdirectories as well), scans them for email-like text strings and sends infected messages to addresses found. To send infected message the worm uses a direct connection to the default SMTP server, or connects to the "smtp.163.com" server.
Following are different variations of 'supnot' message attributes:
Subject:
Text:
Attachment:

Cracks!
Check our list and mail your requests!
CrkList.exe

The patch
I think all will work fine.
Patch.exe

Last Update
This is the last cumulative update.
LUPdate.exe

Do not release
This is the pack ;)
Pack.exe

Beta
Send reply if you want to be official beta tester.
_SetupB.exe

Help
I'm going crazyall please try to find the bug!
Source.exe

Evaluation copy
Test it 30 days for free.
Setup.exe

Pr0n!
Adult content!!! Use with parental advisory.
Sex.exe

Roms
Test this ROM! IT ROCKS!.
Roms.exe

Documents
Send me your comments...
Docs.exe


The worm gets emails from Inboxes and "answers" them by using Windows MAPI functions. Replies look like:
Subject: Re: [original email subject]
Text:

[user name] wrote:
====
> [original email text]
====
[email domain name] account auto-reply:

' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE [email domain name] account now! <

for example:

The attached file name is randomly selected from the following variants:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

Infecting Local Networks
The worm finds network resources (shared writeable disks and directories) and copies itself to them under randomly chosen names:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

If a network resource is password protected it also tries to request 'write' access using the following information:

Login: "guest", "Administrator"
Password: "123", "321", "123456", "654321", "administrator", "admin",
"111111", "666666", "888888", "abc", "abcdef", "abcdefg", "12345678", "abc123"

If the login is successful the worm creates a remote copy of itself named "stg.exe" and tries to launch it on the remote computer.
Backdoor

Supnot launches a "backdoor" routine that uses the IPC (Interprocess Communication) technique: it creates a pipe connected to a command processor that is launched on the victim computer - CMD.EXE in Windows NT/2000/XP or COMMAND.COM in Windows 9x/ME. This allows the worm's "owner" to control the victim computer remotely.
The backdoor is launched three different ways:
as a thread in the worm's process
as a part of the "LSASS.EXE" process (under WinNT)
as stand-alone DLL-files "ily.dll", "Task.dll", "reg.dll" that are stored in the Windows system directory.
The three methods of executing the backdoor carry the identical payload routine.
Other
While sending e-mail messages, the worm creates a temporary file called "CH0016.TMP" in the Windows temporary directory.
The worm also sends a 'notification' e-mail to its "owner" that contains the infected computer's name, IP address, and current user name.
This email contains the following "copyright" string:
My I-WORM-and-IPC-20168 running!

I-Worm.Lovgate.ah

Description I-Worm.Lovgate.ah

This worm spreads via the Internet as an attachment to infected messages. It is written in MFC, and packed using ASPack. The packed file is 152063 bytes in size, and the unpacked file is approximately 250KB in size. The worm is capable of infecting PE EXE files.
Installation
Once launched, the worm copies itself to the Windows system and root directories under the following names:
%windir%CDPlay.exe
%windir%Exploier.exe
%system%IEXPLORE.exe
%system%iexplorer.exe
%system%RAVMOND.exe
%system%WinHelp.exe
%system%spoolsv.exe
%system%Update_OB.exe
%system%TkBellExe.exe
%system%hxdef.exe
%system%Kernel66.dll
It also creates a file named cdrom.com in the root directory of all accessible disks.
The worm may also create several copies of itself in the root directory of all accessible disks in ZIP format. The copies will be saved under random names.
Several copies of the worm will be registered as keys in the system registry, to ensure that these files are run each time the system is started.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "WinHelp"="%system%TkBellExe.exe" "Hardware Profile"=""="%system%hxdef.exe" "Microsoft Associates, Inc."=" "="%system%iexplorer.exe" "SystemTra"=""="%swindir%CdPlay.exe" "Shell Extension"=""="%system%spollsv.exe"
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
"COM++ System"="Exploier.exe"
A string is added to win.ini to ensure that a file named RAVMOND.exe will be launched automatically on system startup.
The worm changes the system registry values to ensure that when text files are opened, the worm will gain control.
txtfileshellopencommand
"default"="Update_OB.exe %1"
It also creates an additional key in the system registry to flag its presence in the system.
[HKLMSoftwareMicrosoftWindowsCurrentVersionMXLIB1]
Propagation via local networks.
The worm makes the Ó:windowsMedia folder accessible via the local network by saving it under the name \Media.
It copies itself to all accessible disks under the following names:
autoexec.bat
Cain.pif
client.exe
Documents and Settings.txt.exe
findpass.exe
i386.exe
Internet Explorer.bat
Microsoft Office.exe
mmc.exe
MSDN.ZIP.pif
Support Tools.exe
Windows Media Player.zip.exe
WindowsUpdate.pif
winhlp32.exe
WinRAR.exe
xcopy.exe
If the worm finds the P2P client Kazaa on the victim machine, it will copy itself to the file-sharing folder under the following names:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
or under a random name.
The file extension will be chosen at random from the following list:
BAT
EXE
PIF
SCR
The worm attempts to copy itself to all accessible computers which it finds on the local network. To do this, it attempts to gain access to resources in the Admnistrator account. It uses the passwords listed below to attempt to gain access:
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
123abc
123asd
2003
2004
2600
321
54321
654321
666666
888888
88888888
a
aaa
abc
abc123
abcd
abcdef
abcdefg
admin
Admin
admin123
administrator
Administrator
alpha
asdf
asdfgh
computer
database
enable
god
godblessyou
guest
Guest
home
Internet
Login
login
love
mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
password
Password
pc
pw
pw123
pwd
root
secret
server
sex
sql
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv
If the worm manages to establish a connection, it copies itself to admin$system32NetManager.exe and launches this file as the Windows Management Network Service Extensions service.
Propagation via email
The worm will answer all messages it detects in the 'Incoming' folder by sending an infected email to these addresses. It also harvests email addresses from files with the following extensions:
wab
htm
pl
adb
tbb
dbx
asp
php
sht
htm
Infected messages:
Message header (chosen at random from the list below)
Mail failed. For further assistance, please contact!

The message sent as a binary attachment.

It's the long-awaited film version of the Broadway hit.

The message contains Unicode characters and has been sent as a binary attachment.
Attachment name (chosen at random from the list below):
I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
Message body:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don',27h,'t deal in lies,
Or, being hated, don',27h,'t give way to hating,
And yet don',27h,'t look too good, nor talk too wise;
all ... more look to the attachment.
Other
The worm terminates all processes which contain the following text in their names:
Duba
Gate
KAV
kill
KV
McAfee
NAV
RavMon.exe
Rfw.exe
rising
SkyNet
Symantec
and
Rising Realtime Monitor Service
Symantec Antivirus Server
Symantec Client
Other
The worm harvests information about the victim machine and saves it in a file named c:Netlog.txt which is then sent by email to the worm's author.
It installs a backdoor on TCP port 6000 to receive commands.
The worm contains the text string:
I-WORM-ffff Running!
The worm searches all accessible disks from C: to Z: for files with the extension *.exe. It then changes the extension to *.zmx, and ascribes the function hidden/ system to these files. It then copies itself to the original files under the original name.

Home