Virus Database

Mutation.1353

Description Mutation.1353

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM files. On executing files or changing current disk the virus looks for COM files in the current directory, and infects them. The each next generation of the virus adds extra bytes to files while infecting them.
The virus contains the text strings:
Mutation Virus 96
Mutation Virus V0.1 - Your computer has been artificially Phucked!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.b

Description I-Worm.Bagle.b
This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.
Characteristics of infected messages:
Message header:
ID xall thanks
with x being a string of random characters.
Message body:
Yours ID x
--
Thank
with x being a string of random characters.
Attachment:
The attachment has a random name, with a file size of 11KB.
Installation
Once launched, the worm copies itself to the Windows system directory under the name 'au.exe' and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"au.exe" = "%system%au.exe"
Also creates the following registry key:
[HKCUSOFTWAREWindows2000]
and saves its variables there.
The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder.
On launching, the worm launches the Sound Recorder utility (sndrec32.exe).
Propagation
The worm searches for files with the following extensions: wab, txt, htm, html and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location:
Other
The worm is programmed to stop propagating after 25th February 2004.

I-Worm.Bagle.c

Description I-Worm.Bagle.c
This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 15KB, compressed using UPX. The size of the decompressed file is approximately 28KB.
Characteristics of infected messages
Message header:
Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Wellall
You are dismissed
You really love me? he he
Message body:
Empty.
Attachment:
A ZIP file with a random name, with a file size of 15994 bytes. The zipped file contains an EXE file with a random name and and Excel icon.
Installation
Once launched, the worm copies itself and all components to the Windows system directory under the names 'readme.exe', 'onde.exe', doc.exe' and 'readme.exeopen' and then registers 'readme.exe' in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"gouday.exe" = "%system% eadme.exe"]
Also creates the following registry key:
[HKCUSOFTWAREDataTime2]
and saves its variables there.
The worm attempts to connect to a number of remote sites, storing information about the infected machine on theses sites.
Bagle.c executes the default Windows 'Notepad' program, notepad.exe, tricking users into believing the program they just executed "does something".
Propagation
The worm searches for files with the following extensions:
adb
asp
cfg
dbx
eml
htm
html
mdx
mmf
nch
ods
php
pl
sht
txt
wab
and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 2745. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
Other
The worm attempts to block antivirus database updates by terminating the following processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
Bagle.c is programmed to stop propagating after March 14, 2004.

Home