Virus Database

Macro.Word97.DasWoo

Description Macro.Word97.DasWoo

This a stealth and polymorphic macro virus. It contains two modules ThisDocument and VC. The first module contains auto-function that is named AutoOpen in infected documents and AutoClose in infected NORMAL.DOT.
So the virus infects other documents on closing and affects the system on opening an infected document.
While infecting the auto-function calls the UserForm_Click function that is placed in the second virus module VC. The infection is performed by export/import virus modules to the temporary C:ONE.SYS and C:TWO.SYS files. The virus then modifies its code, so it is different in NORMAL.DOT and infected documents. For instance, the virus inserts into NORMAL.DOT two more functions to support its stealth ability: ViewVBCode and ToolsMacro. The virus also inserts into the document comments that contains the name of user, current time and path to active printer.
On July 28 the virus displays a window with the text:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sober.e

Description I-Worm.Sober.e

This worm spreads via the Internet as an attachment to infected messages.
Characteristics of infected messages
Message header:
Chosen at random from the list below:
Hey!
hey?
Hi
hi
Hi :-)
Ok ;-)
OK OK
OK Ok OK!
Message body:
The message body consists of a few words, chosen at random from the list below:
;-)
HA :-)
ha!
lol
LoL
LOL
thx
THX
Thx!
yo!
Attachment:
A file named graphic_textdocument.pif.
Installation
When launching, the worm opens a Microsoft Paint window.
The worm copies itself to the Windows system directory under a randomly created name (e.g. smss32dir.exe or diagspool.exe) and adds an autorun key for this file to the registry.
Propagation
The worm searches files with extensions .rtf, .doc, .xls, .txt, .wab, .eml, .php, .asp, .shtml, .dbx etc., and sends infected messages to all email addresses harvested from these files.

I-Worm.Sober.f

Description I-Worm.Sober.f

This worm spreads via email as a file attached to infected messages. It also spreads via file-sharing networks. It is written in Visual Basic and packed using UPX. The packed file is approximately 40KB in size (this may vary slightly). The unpacked file is approximately 140KB in size.
Infected messages
Infected messages have a random message header and contain random text. The name of the attachment will also vary, but will have the extension .pif or .zip. An sample infected message is shown below.
Message header:
Connection failed
Message body:
I hope you accept the result!
Follow the instructions to read the message.
Please read the document
Attachment name:
your_passwords.pif
Installation
The worm is activated if the user opens the attached file. Once the worm is launched, it opens Notepad which will display the text contained in the original message.
The worm then creates a copy of itself in the Windows system directory under a random name chosen from the following list:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry autorun key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"<random key name7gt;" = "%System%<worm name>"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
"<random key name>" = "%System%<worm name> %1"
The worm creates several copies of itself and its additional files in the Windows system directory under the following names:
bcegfds.lll
spoofed_recips.ocx
syst32win.dll
winsys32xx.zzp
winhex32xx.wrm
zmndpgwf.kxx
zhcarxxi.vvx
Propagation
The worm searches disks for any files with the following extensions:
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
It harvests email addresses, and sends email messages to these addresses by creating a direct connection to the SMTP server.
The worm uses one of the names below as the sender's name:
Webmaster
Fehler-Info
Administrator
RobotMailer
AutoMailer
Register
Service
Info
Passwort
Kundenservice
Liste
Schwarze-Liste
Information
Administrator
Webmaster
Home
Register
Service
Info
admin
Error_Info
RobotMailer
AutoMailer
User-info
account
webmaster
It may use the recipient's domain name, or one of the domains below:
abuse.de
yahoo.com
yahoo.de
gmx.de
gmx.net
web.de
freenet.de
lycos.de
Message header (chosen at random from the list below):
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
Na, uberrascht?!
Info
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
Fehler in E-Mail
Bestatigung
Registrierungs-Bestatigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn!
Well, surprised?
Info
Information
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connection failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document
Message-ID
The message body may include text from the paragraphs listed below:
Ich war auch ein weniguberrascht!
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann

Alles klaro bei dir?
Schau mal was Ich gefunden habe!

Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye

Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passworter rauszubekommen!!!
Passwoerter.txt

Details entnehmen Sie bitte dem Attachment
Nahere Informationen befinden sich im Anhang.

*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte uberprufen Sie nochmals diese E-Mail auf mogliche Fehlerquellen.
attach: AMD-System.txt
* End Transmission
Virenschutz
--- Web: http://
--- Mail To: User-Hilfe

Passwort und Benutzername wurde erfolgreich geandert
Ihre Benutzernamen und Passworter befinden sich im Anhang dieser E-Mail
++++ Im www erreichbar unter: http://
++++ E-Mail: KundenInfo

Wegen eines Datenbank- Fehlers konnte es moglicherweise zu einem Verlust Ihrer
personlichen Daten wie Kennworter gekommen sein.
Wenn Sie Unregelma?igkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank fur Ihr Verstandnis
+++ Ein Service von
+++ http://
+++ E-Mail: Kundenservice

Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:

I was surprised, too! :-(
Who could suspect something like that?

All OK :)
see, what i've found!

hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye

I 've told you!:-) sometime I grab your passwords!

I hope you accept the result!
Follow the instructions to read the message.
Please read the document

Registration confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://
++++ Mail To: User-info

*** Auto Mail Delivery System ***
_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_ or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission
The original message is a separate attachment.
--- Web: http://
--- Mail To: User-Hilfe

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of
+++ http://
+++ Mail: home

The message has been attached.

Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha

Anybody use your accounts!
For further details see the attachment.

I have received your document. The corrected document is attached.
greets
Attachment name (chosen at random from the following):
Oh-Mann
Dokument
KurzText
AntiVirus-Text
Anleitung
Passwoerter.txt
Text-Inhalt
AMD-System.txt
Benutzer-Daten
Datenbank-Fehler
abuse-liste
schwarze-listen
Block-Lists
anitv_text
instructions
your_article
your_passwords
messagedoc
corrected_text-file
attach-message
-attachment
_attach
pass-message
text
Textdocument

Home