Virus Database

Macro.Word.Gang

Description Macro.Word.Gang

This is an encrypted virus. It contains two macros: Paradise, Gangsterz. The virus does not have any auto-macros and to receive control it assigns SPACE key to macro "Paradise" and "E" key to macro "Gangsterz". As a result MS Word will call these macros on SPACE and "E" key. MS Word will also restore these keys assignments any time when loading an infected document or global macros.
On January 15th the virus calls its trigger routine - it creates the NORMAL.DOT file and insert the text written in Bold FontSize 26 to there:
Big_Daddy_Cool Virus generated by NJ

and then draw some picture in there.
The virus drops the batch virus "BAT.Xop", writes to system profile (WIN.INI file) the strings:
[Intl]
XOP=Installed

and appends to the end of C:AUTOEXEC.BAT file the commands:
@echo off
Xop.bat

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Frethem

Description I-Worm.Frethem
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments to infected emails, the worms themselves are Windows PE EXE files about 31-35KB in length - depending the worm version. The are compressed by PE-Pack and UPX (double compression) and written in Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:

Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
Attached:

www.freedesktopthemes.com
Frethem.b,c,f,h
Subject: Re: Your password!
Message:
[empty]
Attachments: Your password placed in password.txtall yourpassword.exe...password.txt

Frethem.d:

Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message: Hi! There is good news for you! Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with web site and samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached: www.xpdesktopthemes.com
Frethem.e,g,j,k,l
Subject: Re: Your password!
Message:
ATTENTION!
You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm itself, the attached TXT file(if it is present) contains false text, such as:

"Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach (IFRAME vulnerability) is exploited or the attached file may not contain any "security tricks". The worm activates from infected email only when a user clicks on the attached file, or it may start automatically when an infected message is opened or previewed (in vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is Russian or Uzbek keyboard support (codepage 419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself to the Windows startup directory under the setup.exe name:
%windir%Start MenuProgramsStartupsetup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy themselves in the Windows directory under the "taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for e-mail addresses in WAB (Windows Address Book) files and in *.DBX email database files, and sends infected messages to these addresses.
Backdoor
The backdoor routines randomly select a URL and then follow it to the site. The list of possible URLs is stored (hard-coded) into the worm body. There are from 10 (in minor worm versions) to 50 (in major versions) URLs in the list.
The worm then downloads a specific file from the selected URL and processes commands written there. The main backdoor features are:

the ability to execute requested commands on infected system
download EXE file(s) from that site and run it ("upgrading" worm with new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:

STATUS.INI and WIN64.INI
Other The worm body contains the text:
thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.

I-Worm.FriendMess

Description I-Worm.FriendMess

This dangerous Internet worm is written in Visual Basic Script language. For spreading, the worm uses MS Outlook 98/2000. If another mailer is used, the worm is not able to spread, but runs its payload routine (see below).
The worm arrives to a computer as an e-mail message:
Subject: FRIEND MESSAGE
Body: A real friend send this message to you.
The message has an attached "FRIEND_MESSAGE.TXT.vbs" file. Depending upon system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as a "FRIEND_MESSAGE.TXT".
The attached file contains script written in Visual Basic Script language. Upon being activated by double clicking on an attached file, the script gains control and the worm begins work.
The worm creates the file "FRIEND_MESSAGE.TXT.vbs" in the Windows system directory, and writes its own code there (this file is used later by a worm for spreading its copies). Then the worm displays the following message:
If you receive this message remember forever: A precious friend
in all the world like only you! So think that!
After this, the worm runs its spreading routine. This routine gains access to MS Outlook and sends infected messages to all recipients from the Outlook address book. These messages look the same as the arrived one (see above). While spreading, the worm stores infected-recipient addresses in the system registry and does not send messages to already-infected recipients.
The worm contains a payload routine that overwrites a "C:AUTOEXEC.BAT" file with commands that delete all files in the Windows directory, Windows system directory and Windows temporary directory. These commands in the "C:AUTOEXEC.BAT" file are executed upon system start-up.

Home