Virus Database

Nigeb.890

Description Nigeb.890

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM files that are executed.
While writing to the files (INT 21h, AH=40h) the virus converts the strings "BEGIN" (lower or upper-cased) to "NIGEB". On INT 1Ch (timer) calls it scans the screen for "NIGEB" strings, and converts them to "BEGIN".
The virus contains the text strings:
igeb
egin
AntiPascal-1 (C)Godzilla Corp.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Agobot.a

Description Backdoor.Agobot.a

Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:
will not work with a debugger running or under Vmware
it can run both as a standard application and as a service (when running under Windows NT/2000/XP)
when copying itself to the Windows system folder (on first being launched) it attmepts to encode the copy and write the decoder to the body of the copy (polymorphic code)
adds to the HOSTS file the IP address 127.0.0.1 for the sites of some antivirus companies (to hinder the updating of antivirus databases)
monitors the network and copies all interesting packets (e.g. packets containing passwords for FTP servers, e-payment systems such as PayPal etc.)
scans other computers for the presence of common vulnerabilities such as DCOM RPC, UpnP, WebDAV and others, and then installs itself on the vulnerable machine
searches the victim machine for AOL logs, passwords for certain computer games, and email addresses, and sends all this information to its author/ user
conducts DoS attacks (SYN-flood, Targa and others)
launches proxy servers on the victim machine (HTTP, HTTPS, SOCKS, BNC and others)
expedites the uploading of additional modules (plug-ins)

Backdoor.Agobot.gen

Description Backdoor.Agobot.gen
This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels.
Installation
Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
Manifestations
Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the 'master', who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.

Home