Virus Database

Backdoor.KWM

Description Backdoor.KWM

This is a Win32 backdoor Trojan that allows a remote host to gain access to an infected computer. The Trojan itself is a Win32 application (PE EXE file) about 14K in size.
There are several known versions of this backdoor, which were distributed as uploadeds to public Web sites with the following names:
1. Photo.scr - as a picture (about 66K)


2..Sponsors_pay_WM.exe - as a document "Billing Systems'Contract for Services" (about 70K)



These EXE and SCR files are Trojan "droppers" that simply drop the actual Trojan program to the Windows directory with the "netcfgh.exe" name, then drop and open a "decoy" file (JPG picture or TXT document). The "decoy" files are created in the C: drive root with the PHOTO.JPG or CONTRACT.TXT names, and then are opened with Explorer.
When the actual Trojan file starts, it first of all enables auto-dialing by altering the registry key:
HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionInternet Settings EnableAutodial
The Trojan then registers itself as a hidden (system) application, then registers itself in the auto-run key in a SYSTEM.INI file (in the Windows directory), sleeps for a short time and runs a main backdoor routine. This routine connects to a host FTP site ftp://ftp.bizland.com/ with a specific name and password, downloads additional EXE components (HEAK.EXE, TEEN1.EXE, TEEN2.EXE, TEEN3.EXE) - which are a keyboard spy (logger), archiver, etc.
The Trojan also obtains special CMD files containing instructions written in specific language from this FTP. The backdoor then processes this script file and executes commands that are present here. These commands allow a remote host to operate an infected computer in the following way:
- download files to
- upload files from
- execute local files
- move/copy/delete local files
- upload confidential information to a host FTP (RAS information and cached passwords)

The backdoor also scans disk drives and looks for WebMoney files, and reports them to the host. This allows a host to steal WebMoney information from infected computers.
The backdoor also creates the following additional registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersion CmdID = %hostname% ; where %hostname% is the computer network address
SystemNumber = NEW_%system_date% ; where %system_date% is the current date converted to a number
and creates additional files in the Windows directory:
BODY.LG - The Trojan's log file (its actions and errors reported)
LIST.CMD - script file

Check other viruses! Be aware! Use Antiviral Software

StealthBomber

Description StealthBomber

It is not a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h - the virus overwrites the code of original INT 21h handler with 10 bytes of routine that passes the control to the virus body. On INT 21h calls the virus restores patched code, and then patches it again. To do that the virus also hooks INT 1, 1Ch, 20h.
The virus and writes itself to the beginning of .COM-files that are accessed. On 31st od August the virus displays the message:
! I AM THE STEALTH BOMBER !
+-------------------------+
¦ I BELONG TO THE NEW ¦
¦ GENERATION OF COMPUTER ¦
¦VIRUSES. LIKE THE STEALTH¦
¦ BOMBER, I GO UNDETECTED ¦
¦ BY ENEMY RADAR ¦
+-------------------------+
!!! DO NOT PANIC !!!
I AM JUST SHOWING OFF HOW
EASY I CAN EVADE YOUR ANTI
VIRUS SYSTEM - I DO NO HARM

Steatoda family

Description Steatoda family

These are very dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM and to the end of EXE files that are executed or opened. After infecting a file the viruses erase random selected sectors on the hard drive.
Before installing memory resident the viruses look for C:DAMAGE.MOR file. If that file is found, the viruses do not stay resident, but decrypt and display the message:
This file is infected by "Steatoda", you seem to have the protection, soall
you will not be harmed by the virus.
Press any key...

The viruses also contain the text strings:
"Steatoda"
EXE COM
C:DAMAGE.MOR

Home