Virus Database

AWME.1213

Description AWME.1213

This is a harmless nonmemory resident parasitic polymorphic virus. It searches in the current directory for COM files except several antivirus scanners and COMMAND.COM, then writes itself to the end of the file. The virus containes the text strings, the first one is the names of antiviruses (two bytes per name):
AIWESCCOVSADAN-V
*.com*
This is a simple [AWME] demo virus by AD.
and:
> [AWME] v1.1 </

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.e

Description I-Worm.Mydoom.e

This worm has also been called Mydoom.F, and is a modification of Mydoom.a.
It spreads via the Internet as a file attached to infected messages. The worm is a PE EXE file of 33KB or slightly larger, packed using UPX. The unpacked file is approximately 55KB in size. The worm is also able to send itself as a ZIP archive.
The worm is only activated if the user opens the archive and launches the infected file, by clicking twice on the attachment. The worm then installs itself on the systems and starts propagation.
The worm includes a backdoor function, and is programmed to carry out DoS attacks on www.microsoft.com and www.riaa.com
Everything points to this worm not being an original creation, but a separate version which has been created around the orignal source code of Mydoom.a. Part of the original code is present in this version, even though it serves no useful function.
Installation
Once launched, the worm may display a fake error message on the screen: 'File is corrupted,' 'File cannot be opened,' or 'Unable to open specified file'.
The worm may also create a file in the temporary system directory. This file contains a random selection of characters, and the worm may open it using Notepad.
It also creates a mutex 'jmydoat name of infected computer Xmtx' to flag its presence in the system.
When installing, the worm copies itself under a random name to the Windows system directory and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
random characters = "%System% ame of worm file
The worm then searchs all accessible disks from C: to Z: and copies itself under random names to all disks which it finds which include the words
shar
startup
start
in the name.
The worm creates a file with a random name and .dll extension in the Windows system directory. This file is 9724 bytes in size, and is the backdoor component, which is intended to open a backdoor on port 1080 and act as a proxy server.
The worm creates several copies of itself as ZIP archives in the Windows root directory. These files are then used to send mass emails. In order to flag its presence in the system, the worm also creates several additional keys in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionShell HKCUSoftwareMicrosoftWindowsCurrentVersionShell
Sending of email
In order to send copies of itself, the worm searches all accessible disks from C: to Z: for files with the following extensions:
wab
mbx
nch
mmf
ods
rtf
uin
oft
mht
vbs
msg
pl
eml
adb
tbb
dbx
asp
php
sht
htm
txt
It then sends itself to all email addresses found in these files.
Infected emails have the following characteristics:
Sender's address: any address found on the infected machine, or chosen from the following list
jerry
bill
smith
jim
sam
james
alex
A random selection of characters may also be used. In this case, after the @ symbol in the sender's address, one of the following domains will be used:
aol.com
msn.com
yahoo.com
hotmail.com
edu
Message header: (chosen at random)
hello
hi
Announcement
read now!
forget
bug
unknown
fake
Wanted
recent news
news
stolen
Attention
Accident
Schedule
Re: Thank you
Thank you
Re: Details
Details
Re: Approved
Approved
hi, it's me
Important
Readme
Read this message
please read
please reply
Thank You very very much
You use illegal File Sharingall
Your IP was logged
Your account is about to be expired
Love is
Love is...
Undeliverable message
Re:
Your order was registered
Your request was registered
Your order is being processed
Your request is being processed
Current Status
Your credit card
Read it immediately!
Read this
Read it immediately
Something for you
For you
For your information
Information
Warning
You have 1 day left
automatic notification
automatic responder
Notification
Expired account
Your account has expired
Registration confirmation
Confirmation
Confirmation Required
Returned Mail
Message body: (chosen at random)
Greetings
See you
Here it is
You are bad
Take it
Reply
Please, reply
Okay
OK
Everything ok?
Check the attached document.
The document was sent in compressed format.
Please see the attached file for details
See the attached file for details
Details are in the attached document. You need Microsoft Office to open it. Information about you
We have received this document from your e-mail.
Kill the writer of this document!
Something about you
I have your password :)
You are a bad writer
Is that yours?
Is that from you?
I wait for your reply.
Here is the document.
Read the details.
I'm waiting
Attachment name: (chosen at random)
body
message
test
data
file
text
readme
document
doc
msg
photo
resume
image
object
website
friend
jokes
joke
approved
paypal
disc
misc
part3
part2
part4
part1
mail2
list
mail
story
about
money
check
product
notes
your_document
note
information
textfile
posting
post
stuff
attachment
creditcard
or a selection of random characters.
The attached file has one of the following extensions:
exe
scr
com
pif
bat
cmd
zip
and a second extension from the following list:
doc
htm
rtf
xls
jpg
gif
png
txt
exe
pif
scr
DoS attacks
If the system date is showing between the 17th and the 22nd of the month, there is a 60% that the worm will carry out a DoS attack on www.microsoft.com and a 30% chance that it will carry out a DoS attack on www.riaa.com. Mydoom.e will perform DoS attacks in exactly the same way as the other versions of Mydoom did, by sending multiple GET requests to port 80 of the site under attack.
Deletion of files
The worm searches all accessible disks from C: to Z: for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp and uses a random number generator to determine which files with these extensions should be deleted.
Other
The worm searches memory for processes containing the following text:
reged
taskmo
taskmg avp.
avp32
norton
navapw
navw3
intrena
mcafe
and attempts to stop them.

I-Worm.Mydoom.g

Description I-Worm.Mydoom.g

This worm spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file of 32256 bytes, packed using UPX.
The worm will be launched only if the user opens the archive and executes the infected file. The worm will then install itself to the system and start propagating.
The worm includes a backdoor function, and is also coded to conduct a DoS attack on www.symantec.com and symantec.com
Once the file has been unpacked, the following text string is visible:
to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.
Installation
Once the worm is launched, it may open Windows Notepad, which will display a random selection of characters.
When installing, the worm copies itself under a random name, with the extension .exe or .scr to the Windows system directory. It registers this file in the system registry to ensure that the worm is launched each time Windows is started:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"<random characters>"="%System%<name of file>"
The worm creates a file with a random name and a .dll extension in the Windows system directory. This is the backdoor component. This file is also registered in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"<random characters>"="%System%<name of file.dll>"
This ensures that the DLL is launched as an Explorer.exe child process.
To flag its presence in the system, the worm creates a mutex <name of computer>theta,. This ensures that only one copy of the worm can be launched at once.
The worm copies itself to all accessible hard disks under a random name; it also creates copies of itself in ZIP archives.
It searches all accessible hard drives for files with the extensions listed below. It then creates copies of itself under these file names, adding either an .exe or a .pif extension.
avi
doc
jpg
mp3
mp4
wav
wma
xls
Mass mailing
The mass mailing function is similar to the other versions of Mydoom, with a few insignificant differences.
Remote administration
The worm opens TCP ports 80 and 1080 to receive commands. The backdoor component can act as a proxy server, and also download and launch files.
Other
The worm is coded to detect and terminate the following processes in memory:

adaware.exe
alevir.exe
arr.exe
au.exe
avpupd
avwupd
backweb.exe
bargains.exe
beagle
belt.exe
blss.exe
bootconf.exe
bpc.exe
brasil.exe
bundle.exe
bvt.exe
cfd.exe
click
cmd32.exe
cmesys.exe
d3du
datemanager.exe
dcomx.exe
divx.exe
dllcache.exe
dllreg.exe
dpps2.exe
dssagent.exe
emsw.exe
explore.exe
fsg_4104.exe
fuck
gator.exe
gmt.exe
hbinst.exe
hbsrv.exe
hotactio
hotfix.exe
hotpatch.exe
htpatch.exe
hxdl.exe
hxiul.exe



idle.exe
iedll.exe
iedriver.exe
iexplorer.exe
inetlnfo.exe
infus.exe
infwin.exe
init.exe
intdel.exe
intren
isass.exe
istsvc.exe
jdbgmrg.exe
kazza.exe
keenvalue.exe
kernel32.exe
launcher.exe
lnetinfo.exe
loader.exe
mapisvc32.exe
md.exe
mfin32.exe
mmod.exe
mostat.exe
msapp.exe
msbb.exe
msblast.exe
mscache.exe
msccn32.exe
mscman.exe
msdm.exe
msdos.exe
msiexec16.exe
mslaugh.exe
msmgt.exe
msmsgri32.exe
msrexe.exe
mssys.exe
msvxd.exe
netd32.exe
nssys32.exe
nstask32.exe



nsupdate.exe
onsrvr.exe
optimize.exe
patch.exe
penis
pgmonitr.exe
porn
powerscan.exe
prizesurfer.exe
prmt.exe
prmvr.exe
pussy
ray.exe
rb32.exe
rcsync.exe
reged
run32dll.exe
rundll.exe
rundll16.exe
ruxdll32.exe
sahagent.exe
save.exe
savenow.exe
sc.exe
scam32.exe
scrsvr.exe
scvhost.exe
service.exe
servlce.exe
servlces.exe
showbehind.exe
sms.exe
smss32.exe
soap.exe
sperm
spoler.exe
spoolcv.exe
spoolsv32.exe
srng.exe
ssgrate.exe
start.exe
stcloader.exe



support.exe
svc.exe
svchostc.exe
svchosts.exe
svshost.exe
system.exe
system32.exe
sysupd.exe
taskmg
taskmo
teekids.exe
trickler.exe
tsadbot.exe
tvmd.exe
tvtmd.exe
updat
upgrad
utpost.
webdav.exe
win32.exe
win32us.exe
winactive.exe
win-bugsfix.exe
window.exe
windows.exe
wininetd.exe
wininit.exe
wininitx.exe
winlogin.exe
winmain.exe
winnet.exe
winppr32.exe
winservn.exe
winssk32.exe
winstart.exe
winstart001.exe
wintsk32.exe
winupdate.exe
wkufind
wnad.exe
wupdater.exe
wupdt.exe




DoS attacks
The worm searches the victim machine for the file C:Feedlist. If it detects this file, it will attempt to conduct a DoS attack on www.symantec.com and symantec.com by sending looped multiple GET requests.

Home