Virus Database

Macro.Word97.MDMA

Description Macro.Word97.MDMA

This virus contains only one macro: AutoClose. It infects the system on closing an infected file, it writes itself to documents that are also closed. Under Macintosh after 4th of any month the virus wipes out the files on disk.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Win32.Fasong

Description I-Worm.Win32.Fasong
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
%rndname%.EXE = %rndname%.EXE

for example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
GMLKU.EXE = C:UTILGMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCRchm.fileshellopencommand (default value = "hh.exe" %1)
HKCRexefileshellopencommand (default value = "%1 %*")
HKCRinifileshellopencommand (default value = "notepad.exe %1")
HKCR egfileshellopencommand (default value = "regedit.exe %1")
HKCRscrfileshellopencommand (default value = "%1 /S")
HKCR xtfileshellopencommand (default value = "notepad.exe %1")

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLMSoftwareMicrosoftWindowsCurrentVersionwin70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share

I-Worm.Winevar

Description I-Worm.Winevar

This is the worm virus spreading via the Internet being attached to infected emails. The worm was found in-the-wild in Korea at the end of November 2002.
The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++. Most of text strings in worm body are encrypted.
Installing
While installing the worm copies itself to Windows system directory with the random selected name:
WIN%rnd%.PIF
where %rnd% is random number, and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
There are two values written to all those keys:
.default = %worm file name%
%worm name% = %worm file name%
where %worm name% is worm file name without extentions, %worm file name% is full file name, for example:
.default = "C:\TEMP\WIND2C2.pif"
"WINA2B3" = "C:\WINDOWS\SYSTEM\WINA2B3.pif"
It seems that ".default" duplicate is written to registry key because of a bug in worm code.
Later the worm also copies itself with EXPLORER.PIF name to the Desktop.
Spreading
To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses from there except emails that have "@microsoft." part in email address. To send infected messages the worm uses direct connection to default SMTP server.
While sending itself the worm appends to its copy following information:
- country region ID (for example: [KOR], [RUS] - for Korea and Russia)
- current date and time
- user name and company name (as it is stored in registration information)
By using these data that is possible to trace particular worm copy "migration" process.
The infected messages have different data in email fields. Below the %RegisteredOwner% and %RegisteredOrganization%

Subject is randomly (depending on worm "generation") selected from variants:
Re: AVAR(Association of Anti-Virus Asia Reseachers)
N'4 %RegisteredOrganization%
N'4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no "RegistreredOrganization" key in system registry. The "N`4" combination is not decrypted "Re:" string, it seems that the worm author just forgot to decrypt that string in corresponding routine.
The message body is also selected depending on worm generation:
%RegisteredOwner% - %RegisteredOrganization%
or:
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.
Attached file names can be different, for example:
MUSIC_1.HTM, MUSIC_2.CEO
WIN40B1.TXT, WIN40B1.GIF
Where "WIN" names have random number at the end (in this case - "40B1"). At the same time depending on email client the appearence of these attached files in the infected message may be different.
To run from infected message the worm uses two security breaches:
Microsoft VM ActiveX Component
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Payload
The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as well as to kill their files. In some cases (in all cases?) if an anti-virus is found, the worm erases all files on all drives, probably because of a mistake in its code.
The worm drops to Windows system directory "WIN%Rnd%.TMP" file, writes "Win32.Funlove" virus to there and executes this file. Thus the worm infects the machine with "Win32.Funlove" virus.
The worm displays the message:
Make a fool of oneself
What a foolish thing you have done!
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm tries to run DoS attack on that server).
The worm also has following encrypted text strings:
~~ Drone Of StarCraft~~
http://www.sex.com/

Home