Virus Database

Ostap.322

Description Ostap.322

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed or opened. It contains text strings in Russian.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Creepy

Description I-Worm.Creepy

This text is written with a help of Alexey Podrezov, F-Secure corp.
This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 330Kb of length, written in Delphi.
The infected messages have:
Subject: Leuk programmaatje!
Body:
Hallo , dit is een heel gaaf programmaatje wat ik van Bert gekregen heb.

Opstarten en gedurende 5 minuten naar de stip kijken en daarna naar je hand. Creepy!!
Ik heb het op virussen gecheckt dus dat zit wel snor. Groetjesall
Attachment: HYPNOSE.EXE (usually, name may vary)
The worm assumes that Outlook is already running when it starts. If Outlook is not running the worm might crash. To spread itself the worm opens Windows Address Book and sends itself to all e-mail addresses it can find there.
The attachment's name can vary. It depends on the name of worm's file that an infected computer had.
When the worm's file is run, it also displays a message in a DOS session window:
Welkom bij de hypnose truuk!

Na deze hypnose sessie, kunt u iedere willekeurige tekst ondersteboven lezen!
Zorg dat u vast een A-4tje met tekst, of een krant, ondersteboven naast u hebt liggen.

Er verschijnen zometeen tien regels met een willekeurige text op het scherm.
Het kan tot 15 seconden duren voordat de eerste regel verschijnt.
Lees ieder woord totdat het scherm veranderd.
Nu verschijnt een draaiende spiraal. Hierop concentreert u zich gedurende 10 tot 15 seconden.
Kijk hierna snel naar het blad met tekst en zie!! U kunt ondersteboven lezen!!

Grafische elementen worden geinstalleerd, moment aub...
The worm modifies autostartup Registry keys to be always run when Windows is started. The following keys are modified:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "MyApp"=[path to worm's file]

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] "MyApp"=[path to worm's file]
The is the path to the location where the worm was first run following by worm's file name, for example "c:windowshypnose.exe"
The worm also modifies Internet settings by adding modifying the following key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsSafeSites] "ie.search.msn.com" = "http://www.serverbeat.nl/redir.php?http://www.protagonist.nl/redir.php? http://www.uniserver.nl/redir.php?"
The worm sets the default Internet Explorer startup page to 'www.de-isp.nl'
The worm also creates several URLs on the Desktop:
www.de-isp.url
www.plexusict.nl.url
www.nedcomp.nl.url
www.protagonist.nl.url
www.serverbeat.nl.url
www.activeisp.nl.url
Registreer een domein 1.url
Registreer een domein 2.url
Registreer een domein 3.url
and in Favourites folder:
www.de-isp.url
www.plexusict.nl.url
www.nedcomp.nl.url
www.protagonist.nl.url
www.serverbeat.nl.url
www.activeisp.nl.url
Internet Hostingwww.de-isp.url
Internet Hostingwww.plexusict.nl.url
Internet Hostingwww.nedcomp.nl.url
Internet Hostingwww.protagonist.nl.url
Internet Hostingwww.serverbeat.nl.url
Internet Hostingwww.activeisp.nl.url
Internet HostingRegistreer een domein 1.url
Internet HostingRegistreer een domein 2.url
Internet HostingRegistreer een domein 3.url

I-Worm.Cuerpo

Description I-Worm.Cuerpo

This Internet worm infects computer with installed Windows 9x and Internet Explorer 5.0 without Scriptlet.TypeLib hotfix (MS99-032). The worm spreads via E-mail by sending infected messages from affected computers. While spreading the worm uses MS Outlook and sends itself to all addresses that are stored in MS Outlook Address Book. The worm also has alternate spreading method that does not use Outlook at all.
The worm arrives to a computer as email message in HTML format. The subject of message may be vary. Message body has no visible text but contain script that is worm itself.
At the moment message is opening or displayed in preview pane, script activates and worm's code executing. At this moment ActiveX warning may appear on display:
An ActiveX control on this page might be unsafe to interact with other parts
of the page. Do you want to allow this interaction?
[YES] [NO]
Choosing [NO] will not allow the worm to execute.
Being activated worm drops some files that are worm's parts, gets access to Outlook and spreads using it, then searching on computer hard drive for email addresses, collects them and use in alternate spreading routine.
Composing infected message to send, the worm choosing subject from one of existing messages from Outlook Inbox. The worm also attaches HTML file with worm code. File name is name of one of attachments existing in inbox with added "(9 Kbytes).vbs". Thus, infected message contain worm code twice - in the message HTML body and in the attachment.
The worm adds itself to all signature files used by MS Outlook. This means every composed message in HTML format will contain worm code.
The worm replaces Internet Explorer start page with blank one. Four days after infection the worm replaces start page again with URL pointed to "http://www.freedonation.com".
The worm has alternate spreading method that does not use Outlook at all. This routine searches on local hard drive for files with extensions "txt", "na2", "wab", "mbx", "dbx" and "dat" (these are usual extensions for mail databases) and then searches and collects e-mail addresses in these files. Collected addresses then posted (using HTML form) to worm's author internet site. Special script on that site send infected messages directly from site to every address received. Such messages have same address in "From" and "To" fields and contain only HTML body with worm code inside. This alternate spreading method will not work as soon as worm author's site will be closed.

Home