Virus Database

Macro.Word.Shadow

Description Macro.Word.Shadow

This is an encrypted Word macro virus. It contains two macros that have identical code inside: AutoOpen, AutoClose. The virus infects the global macros area and documents on opening an existing document or closing a document. The virus does not manifest itself in any way.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Guorm.a

Description I-Worm.Guorm.a

This is an Internet worm that spreads itself as an attachment to e-mail messages. To send infected messages, the worm uses VBS script and MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
There are several versions of the worm. The first is a pure VBS script; another is a Windows executable file that drops a VBS script to infect e-mail messages; the third is an MS Word document with a macro-program inside. All of these worm versions have similar functionality and infect the system in very similar ways.
When the worm file is activated (by double clicking on an attached file in infected messages, or being accepted as an IRC download), it copies itself into the WINDOWS System directory with different names depending on the version:
USER.DLL, WINUSER.EXE
WINUSER.DLL, USER32.DLL.VBS
The worm does not register these files in the system, so these files are not automatically executed then.
The name of the Windows directory is hardcoded in the 1st virus version body (C:WINDOWSSYSTEM), so the virus is not able to spread in the case that Windows is installed in another folder.
While mailing its copies, the worm drops a GUORM.VBS script file (or GUORMEX.VBS - depending on the version) to the Windows TEMP directory and spawns it. The script program connects MS Outlook, gains access to the address book and sends worm copies to all addresses listed there. The worm messages contain:
Subject: You know what it is!. ;-P
Body: Hey, here you have!.
The attachment name differs depending on the worm version. The first worm version (sent as a Windows EXE file) has only one variant of the attached file name in infected messages: WINUSER.EXE
Other versions use a combination of randomly-selected names and extensions from the following variants:
Extensions: .VBS, .VBE, .TXT.VBS, .JPG.VBS, .AVI.VBS, .SCR.VBS
Names: links, cool, funny, anti-loveletter, guorm, pot, win2k, icq2k, money, funnypic.jpg, quake, Year2K+1, Mirc2K, Word2001, FunStuff, WindowsMe
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). This file contains a set of instructions that sends a worm file to everybody who enters an infected channel.
The worm contains the following "copyright" texts:
BrainMuscle + OldWary + KALAMAR
Guorm

I-Worm.Hadra

Description I-Worm.Hadra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.
When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
All these "Run=" keys then have the string value that runs the worm copy upon each Windows start-up:
msservice = %WinDir%msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.
On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:
[I-Worm.Hydra] allby gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software on an infected computer (see more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE name from the following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates, in the Windows directory, the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
msseti = WScript.exe %WinDir% un_msseti.vbs"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
msseti = WScript.exe %WinDir% un_msseti.vbs"
The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic

Home