Virus Database

Backdoor.Death.18

Description Backdoor.Death.18

Backdoor Death is a Trojan horse family. These Trojan programs allow remote, anonymous access to victim computers and permit hackers to steal user passwords. Backdoor Death has three components: server, client and a utility used to set up server components.
Set-up Utility
This utility lets the hacker(s) controlling the backdoor Trojan to configure the server according to their requirements - for example they can: change the file server name, register in the system, make server icons, send email with stolen passwords, alter firewall settings (if victim computers have one installed), and more.
Server Component
Upon sever boot the backdoor code is copied to the system directory according the settings determined by the set-up utility. The server registers itself either in the system registry or in the file system.ini or win.ini directories. In this way the server ensures its code is run upon operating system boot or reboot. The server component is able to determine if any other viruses are currently infecting a victim computer. If one is detected Backdoor.Death shuts it down so that it does not get in the way of updating server components. In addition the server program is able to determine any installed firewall on victim machines, and is able to remove from memory firewall processes so that Backdoor.Death's controllers can transfer information over a network undetected.
Additionally, the server component monitors keyboard activity and records all keys pressed in a log file, which can then be analyzed by the virus' controller. The server component can also steal user login and password information and send this information back to Backdoor.Death's contoller(s) via email - according to the settings chosen in the server setup utility. When connecting to the Internet the server component sends a message to the site http://Idteam.org where the hackers controlling Backdoor.Death can register and see which computers are currently accessible.
Client Component
The Client component allows hackers controlling Backdoor.Death code to connect to the server component and perform an array of actions such as:
- viewing password information cached in the system
- viewing the list of open windows
- manipulating system files (copy, alter, delete and catalog)
- taking screen shots of the desktop
- manipulating the registry
- sending messages to victims or summoning victims for "chatting"

Check other viruses! Be aware! Use Antiviral Software

Iwag.4183

Description Iwag.4183

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 8, 17h, 21h, 2Fh and writes itself to the end of EXE files that are accessed.
By hooking INT 2Fh the virus gets command line when programs are executed. If command line is "iwag" or "iwagstat", the virus displays the messages followed with internal virus data and counters in hexadecimal:
Hello! IWAG Virus, Opole , 1997
Usuniecie virusa z systemu: mov ax,0ABABh , int 21h
Hi Master! Status:
Pierwszy nosiciel:

When TD* files are executed, the virus displays the message and reboots the computer:
Program too big to fit in memory

Depending on its internal counters the virus ejects/inserts CD-ROM drive or prints one of the texts:
To ja-twoja drukarka:
Rzeczy, ktore mi kazesz drukowac sa bez sensu!
Moze wreszcie kupisz mi dobry papier?
Boli mnie glowa :(
Daj mi spokoj!

Depending on the system date the virus also hooks INT 17h (printer) and changes the letters and digits that are printed.
The virus also disables mouse, beeps by PC speaker, displays the text:
Zartowalem :)

Izhevsk.3474

Description Izhevsk.3474

It is a dangerous memory resident encrypted parasitic virus. It writes itself to the end of .COM and EXE files. When an infected file is executed, the virus hooks INT 21h, intercepts FindFirst DOS call and on these calls searches for COM (except COMMAND.COM) and EXE files in the current directory and infects them.
The virus uses not correct anti-debugging tricks and as a result does not work on Pentium computers. Depending on the system date and its internal data the virus also hooks INT 1Ch and in some time halts the computer and displays the message:
+------------------------------------+
| |
| Waiting for halting systemall |
| |
+------------------------------------+

The virus also contains the text strings:
Sys areaCOMMAND*.com *.exe
(C) Izhevsk 1996

Home