Virus Database

Backdoor.Nickser

Description Backdoor.Nickser
Nickser is a backdoor trojan program. The trojan itself is a Windows PE EXE file about 136KB in length (when compressed by TeLock, the decompressed size is about 270KB). It is written in Microsoft Visual C++.
When run the backdoor copies itself under the name lsass.exe name to the Windows directory and registers itself in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
UserInitialization = %WinDir%lsass.exe

Nickser then reads its "master's" instructions from an encrypted script file located on the Web at http://go.xmain.da.ru.
The backdoor routine performs the following actions:

- gets a file from requested URL
- runs a command or specified local file
- performs DoS attack to requested victim address
- terminates itself
- joins IRC channel
- opens local drives as FTP site
- e.t.c.

Check other viruses! Be aware! Use Antiviral Software

Jd Family

Description Jd Family

These are memory resident parasitic viruses. They copy themselves to the system memory at the address 0043:0100, hook INT 21h and write themselves to the end of COM files that are executed or opened.
Some of these viruses detect their already installed TSR copy with "Are you here?" call (INT 21h, AX=3FFFh), the TSR part returns 4A44h ('JD') in AX register.
Sometimes "Jd.448,460" delete the files instead of opening them.

JDC family

Description JDC family

These are nonmemory resident polymorphic parasitic viruses. They search for COM and EXE files in current and parent directories, then for the COMMAND.COM file and write themselves to the end of the file. While infecting files packed with PKLite the viruses patch PKLite entry code and write "JMP Virus" instruction into the middle of PKLite code.
The viruses use two levels of polymorphic encryption as well as anti-debugging tricks based on i386 features. Under debugger they display the message:
This program requires 80386 or better.

The viruses also contain the text strings:
A JDC PRODUCTION
~~TEMP~~.TMP
If you want to contact us, call:
809-5100 and 809-5031

JDC.6891
It is a very dangerous virus. On Thursday 13th it erases the hard drive and floppy disks sectors. On April 1st it overwrites the MBR of the hard drive with a program that displays on loading:
VI(RUS)
Insert system disk in drive C: and
press enter or space.

The virus also contains the text in Russian and in English:
This program is incompotible with PC-DOSall
MCS 1994
=========================================
.xXXxQEE.D-VersionxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision: 005
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
-----------------------------------------
This is D-VERSION!!! (Pre-release)
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.DVersion"
===[ T·H·E E·N·D ]====================================
*.CoM *.eXe .. COMSPEC=
---[ QEE 1.42 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

JDC.7616
It is not a dangerous virus. Depending on the system date and time the virus displays a picture containing the texts:
You have a VIRUS now
Press any key to continue
This program created special for ]/[ 2 /
Copr (c) 1997 JD

The virus also contains the text strings:
Sorry, there is a small error: this program
is incompotible with PC-DOS... :(
=========================================
.xXXxQEE.JV.Dr.WebxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision 004
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Future ]==========================================
You will see in next version:
- 2 new encryptors:
- RCG (Random Code Generator) [10% done]
- TTT (The Time Tracer) [ 0% done]
- More cool Windows'95 halter [ 0% done]
Possibly:
- Int 21h tracing
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.JV.DrWeb or QEE.JV.Anti95
or, in other case, QEE.AntiWin95. It is only first
virus from large family"
===[ Thanks ]==========================================
To: HR ( JDC ), VD (S&K, VI), DP (xxx), PP (xxx),
DZ ( P), ID ( P) and others...
===[ T·H·E E·N·D ]====================================
COMSPEC=C:COMMAND.COM
[ QEE 1.41 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

Home