Virus Database

Net-Worm.Win32.Bozori.a

Description Net-Worm.Win32.Bozori.a
This network worm infects computers running Windows. The worm itself is a Windows PE EXE file 10366 bytes in size, written in C++ and packed using UPX. The unpacked file is approximately 20KB in size. The worm spreads via a vulnerability in Microsoft Windows Plug and Play. Details of theall

Check other viruses! Be aware! Use Antiviral Software

I-Worm.FireBurn

Description I-Worm.FireBurn

This is an Internet worm that spreads as a VBS file attached to e-mail messages. To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
When the worm file is activated (by double clicking on the attached file in infected messages, or being accepted as an IRC download), it installs itself into the system by copying its code to the Windows directory with the RUNDLL32.VBS name and registering it in the auto-run section in the Windows registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
MSrundll32 = rundll32.vbs
As a result, the worm then activates each time Windows starts up.
E-mail messages
While mailing its copies, the worm connects to MS Outlook, gains access to the address book and sends its copies to all addresses listed in there. Depending on system configuration, the message has a different Subject and Body. Under the German Windows version, the message appears as follows:
Subject: Moin, alles klar?
Body: Hi, wie geht's dir?
Guck dir mal das Photo im Anhang an, ist echt geil ;)
bye, bis dann..
Under non-German Windows:
Subject: Hi, how are you?
Body: Hi, look at that nice Pic attached !
Watching it is a must ;)
cu laterall
The attached file name is randomly selected from eight variants:
Ultra-Hardcore-Bondage.JPG.vbs
Christina__NUDE!!!.JPG.vbs
CuteJany__BigTits!.GIF.vbs
MyGirlfriend__NUDE!.JPG.vbs
Aguiliera__NUDE!!.JPG.vbs
!Jany__Gets-fucked!.GIF.vbs
cute__EmmaPeel!!!.JPG.vbs
Julie17__xxx.GIF.vbs
A copy of worm with the same (randomly selected) name is also created in the Windows directory (exactly this copy is attached to infected messages).
IRC infection
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). The worm looks for a C:MIRC directory as well as for an MIRC directory in "Program Files". If mIRC is installed, the worm drops a new SCRIPT.INI file to there. This file contains a set of instructions that sends the worm file to everybody who enters an infected channel.
The mIRC script also:
temporarily moves the worm's RUNDLL32.VBS file from Windows to the Windows system directory with one of the random names listed above (upon disconnecting from the IRC channel, it moves the VBS file back to the Windows directory with the same RUNDLL32.VBS name)
sends the message "Burn, Burn, Burn :)" to a "virus" conference;
hides virus-like messages in the current conference (ignores messages that contain any of the words: "script", "virus", "worm")
upon text "die lamer" in chat, the script quits the channel with the message "I'll commit suicide! R.I.P"
upon text "fire", displays the text "Burn Burn Burn :)"
Payload routine
The payload routine is activated on June 20th. It displays the following message:
FireburN
I'm proud to say that you are infected by FireburN !
and disables the keyboard and mouse by modifying the following two system-registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up = "rundll32 mouse,disable"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up2 = "rundll32 keyboard,disable"
Misc
The worm also changes the "Registered Owner" field in "MyComputer/Properties", the new value is "FireburN". This is done by modifying the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RegisteredOwner = FireburN
The worm code also contains the "copyright" text:
VBS.FIREBURN.A -- mIRC/Outlook worm coded by fireburn
Polymorphic: Changing the actual filename on each start...
greets: to all members of 'UnCreativeLabs'

I-Worm.Fix2001

Description I-Worm.Fix2001

This is a virus-worm that spreads via the Internet. It works similar to the "Happy99" worm: it installs itself into the system, hooks the Internet access Windows functions, obtains Internet addresses to where it sends its copies. The worm has bugs and replicates under Win9x only, not under WinNT.
The worm appears as a "Fix20001.Exe" file attached to an e-mail message. The message has the subject "Internet problem year 2000." and the message text is written in two languages: English and Spanish:
Estimado Cliente:
Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Año 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.
Internet Customer:
We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM
If you are using another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.
Thanks.
Administrator.

The worm also contains text strings that are used to generate and send attached data in an e-mail message, as well as the texts:
RCPT TO:
@hotmail.com>
@ciudad.com.ar>
Fix2001
THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN.
PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.

Installation
The attached file (the worm itself) is a Windows executable file about 12Kb in length. When executed, it installs itself into the system Windows directory with the FIX2001.EXE name and registers itself in the "Run=" system registry key to activate its copy upon each Windows restart:
HKEY_LOCAL_MASHINESoftwareMicrosoftWindowsCurrentVersionRun
Fix2001 = "FIX2001.EXE"

The worm then displays the following fake message to hide its activity:

Spreading
Upon being run from the installed FIX2001.EXE copy, the worm registers itself as a system-service process (to hide its window and stay active upon user logoff) with the "AMORE_TE_AMO" identification Window's headline; gains access to the WSOCK32.DLL Internet connection library; obtains addresses for "connect" and "send" functions; patches them with call instructions to the worm's hookers; and stays in the Windows memory as hidden applications.
When the Internet connection is activated, the worm scans data that is sent and received, obtains Internet addresses from there, and sends infected messages to these addresses.
Payload
The worm has a very dangerous payload that is activated when the text strings in the worm's body are patched or corrupted (this is possible, because the data are transferred via Internet channels). In this way, the worm overwrites the C:COMMAND.COM file with a DOS Trojan that upon the next computer reboot, erases all data on the hard drive.

Home