Virus Database

Macro.Word.Cristall

Description Macro.Word.Cristall

This virus contains six macros: AutoNew, AutoExec, AutoOpen, CRIstall, OutilsMacro, EditionInsertionAuto. It infects the global macros area on opening an infected document (AutoOpen) and infects other documents on creating or opening (AutoNew, AutoOpen).
Starting from May 10th 1998 depending on system random counter the virus manifests itself with the effect:
either changes the font in current document for TimesNewRoman size 10;
or replaces character "e" with " " in document;
or calls one of the Web pages (if Internet Explorer is installed):
http://user.tninet.se/~syq123w/CRACKZ.HTM
http://nt3.nettaxi.com/citizens/kevinlee/crackz.html
http://www.crackz.com
http://www.sentex.net/~wizard/crackz.html
http://www.c3.hu/~piiti/warez.html
http://home.yezz.de/~hladek/warez.html
http://www.sawasdee.com/patrick/crackz.htm
http://ortugg.simplenet.com/crackz.html
http://www.nehp.net/mabrwn/home__appz__gamez__crackz__links.htm
http://hem2.passagen.se/ravez/crackz.htm
http://www.cbes.net/~lperfect/warez/appz.html
http://scriptz.habanero.ml.org/warez/
http://home.yezz.de/~hladek/warez.html
or creates a query on www.altavista.digital.com with a parameter from the list:
warez
crackz
pedophile
gamez
unix+near+brute+force
mastercard+breaking
serialz
cracking+and+root+mode
hacking

or deletes all *.INI and *.DA? files in C:WINDOWS directory;
or appends to the C:AUTOEXEC.BAT file a command that formats the hard drive.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Plan

Description I-Worm.Plan

This is a variant of IWorm_LoveLetter Internet worm, it spreads in the same way as "LoveLetter" worm does.
The worm uses different variants of message subject and body. They may be empty or contains the texts:
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
Message: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
The subject and message body may be also randomly generated, the result looks like follows: "JUIEDO", "TIPOWU", "RESEAU", "HIKOGU", e.t.c.
The attached file name is also randomly constructed (in the same way as above) and has one of possible extensions:
".GIF.vbs"
".BMP.vbs"
".JPG.vbs"
Being activated the worm installs itself to the system. It copies itself to Windows directory with " eload.vbs" name, to Windows system direcory twice with "LINUX32.vbs" and random constructed name, and registers first two files in system registry auto-run section.
The worm also drops HTML file with "US-PRESIDENT-AND-FBI-SECRETS.HTM" name, but does not use it in any way.
The worm then connects MS Outlook and spreads to all addresses listed in address book. It then affects files on all drives, the list of affected extensions looks like follows:
VBS VBE JS JSE CSS WSH SCT HTA JPG JPEG MP3 MP2
The worm also downloads files from Web site:
http://members.fortunecity.com/plancolombia/macromedia32.zip
http://members.fortunecity.com/plancolombia/linux321.zip
http://members.fortunecity.com/plancolombia/linux322.zip
The first file is just a plain text, two other files are pictures in BMP format. It then moves these files into Windows directory with the names:
macromedia32.zip -> important_note.txt
linux321.zip -> logos.sys
linux322.zip -> logow.sys
and replaces two standard Windows logos as a result.
The worm has a payload routine that is activated on September 17th. That routine unmaps all network drives and displays the message:
Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. [random] (M.H.M. TEAM)
where "random" is five letters random word.
The worm also contains comments in its body:
===============================================================================================
"Plan Colombia" virus v1.0
by Sand Ja9e Gr0w (www.colombia.com)

Dedicated to all the people that want to be hackers or crackers, in Colombia
This program is also a protest act against the violence and corruption that Colombia livesall
I always wanting that all this finishes, I have said...


Santa fe de Bogotá 2000/09
I dedicate to all you the song "GoodBye" of Andreas Bochelli
=================================================================================================


Thanks God..!
A greeting for "Lina María" from "Santa fe de Bogotá"
A greeting for "Tizo" from "Spain"
And One kicked of tail to my friends, "eL ChE" and "ThE SpY"

I-Worm.Plexus.a

Description I-Worm.Plexus.a

Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively. In addition, Plexus carries a potentially dangerous payload.
Plexus contains rewritten code from Mydoom. It is written in MS Visual C++ and compressed with FSG. The compressed file is 40800 bytes in size while the decompressed file is 88570 bytes in size.
Installation
Upon execution, the worm displays a fake error message, chosen at random from those listed below:
CRC checksum failed.
Pack method not implemented.
Could not initialize installation. File size expected=26523, size returned=26344.
File is corrupted.
Plexus copies itself into the WindowsSystem32 directory as upu.exe. It then installs two files:
a file named setpupex.exe to the WindowsSystem32 directory
a file named svchost.exe to the Windows root directory
Setupex.exe is Backdoor.Dumaru.ai, a backdoor program, which is writtten in Microsoft Visual C++, and compressed using FSG. The compressed file is 21088 bytes in size, and 53772 when uncompressed.
Svchost.exe is the main module of Plexus.a. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16208 bytes in size and 57856 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
Plexus then registers itself in the system registry auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvClipRsv"=[path to the executable file]
Plexus also creates the unique identifier 'expletus' to identify itself in the system, and to prevent more than one copy of the worm being executed on each infected machine.
Propagation
Via LANs and file-sharing networks
Plexus copies itself to shared folders and accessible network resources under the following names:
AVP5.xcrack.exe
hx00def.exe
ICQBomber.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
Via MS Windows vulnerabilities
LSASS vulnerability
Plexus exploits the LSASS vulnerability described in >MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004. The patch is available in the MS Security Bulletin listed above.
RPC DCOM vulnerability
Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.
The MS patch for this vulnerability is availble in the MS Security Bulletin listed above.
Via infected email attachments
Plexus searches local disks for files with the following extensions:
htm
html
php
tbb
txt
and sends copies of itself to all email addresses found in these files.
The infected email contains one of the following sets of text:
Variant 1
Message header
RE: order
Message body
Hi. Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;)
Attachment name
SecUNCE.exe
Variant 2
Message header
For you
Message body
Hi, my darling :) Look at my new screensaver. I hope you will enjoyall Your Liza
Attachment name
AtlantI.exe
Variant 3
Message header
Hi, Mike
Message body
My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.
Attachment name
Agen1.03.exe
Variant 4
Message header
Good offer
Message body
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Attachment name
demo.exe
Variant 5
Message header
RE:
Message body
Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve
Attachment name
release.exe
Payload
Plexus attempts to prevent Kaspersky Anti- Virus databases from being updated by replacing the contents of the 'hosts' file in WindowsSystem32driversetchosts with the following data:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
If your machine is infected, you are recommended to delete this file before downloading antivirus database updates.
Trojan functions
Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched.

Home