Virus Database

Pages Family

Description Pages Family

These are not dangerous memory resident parasitic viruses. They hook INT 1Ch, 21h and write themselves to the end of .COM files (except COMMAND.COM) that are accessed. They contain the text string "COMMANDO-3". They manifest themselves with the video tricks: they change the video pages or "shake" the screen.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.NetSky.q

Description I-Worm.NetSky.q

This worm spreads via the Internet as an attachment to infected messages. It is also able to propagate via P2P networks and accessible http and ftp directories.
The worm's main component is a PE EXE file of approximately 29KB. The worm is packed using FSG; the unpacked file is approximately 40KB in size.
Installation
The worm copies itself to the Windows directory under the name fvprotect.exe and registers this file in the system registry autorun key:
[ HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Norton Antivirus AV" = %windirfvprotect.exe
The worm also creates a file named userconfig9x.dll in the Windows directory, and files with the following names:
zipped.tmp
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
These files are copies of the worm in UEE format and ZIP archives containing copies of the worm. Files within the archive will have names chosen from the following list:
document.txt.exe
data.rtf.scr
details.txt.pif
The worm creates a mutex, ""_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_", to flag its presence in the system.
Propagation via email
The worm searches for files with any of the following extensions:
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.pl
.htm
.html
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
and sends copies of itself to email addresses harvested from these files. The worm uses its own SMTP library to send messages. The worm also attempts to establish a direct connection to the message recipient's server.
Infected messages:
Infected messages contain random combinations of the options listed below.
Sender's address:
Chosen at random from those harvested from the infected machine
Message header:
Re: Hi
Re: Hello
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Request
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Re: List
Re: Question
Re: Proof of concept
Re: Developement
Re: Message
Re: Error in document
Re: Free porn
Re: Sex pictures
Re: Submit a Virus Sample
Re: Virus Sample
Re: Old times
Re: Old photos
Re: Sample
Re: Its me
Re: Is that your document?
Re: Approved document
Re: Your document
Protected Mail System
Mail Authentication
Is that your password?
Private document
Stolen document
Mail Account
Administrator
Illegal Website
Internet Provider Abuse
Thank you!
Congratulations!
Postcard
Your day
Mail Delivery
Error
Shocking document
You cannot do that!
hi
hello
Fwd: Warning again
Notice again
Spamed?
Spam
0i09u5rug08r89589gjrg
Re: A!p$ghsa
Important m$6h?3p
Do you?
Does it matter?
News
Information
I love you!
I cannot forget you!
here
your
my
thanks!
approved
corrected
patched
improved
important
read it immediately
or a random string of characters
Message body:
Please see the attached file for details
Please read the attached file!
Your document is attached.
Please read the document.
Your file is attached.
Your document is attached.
Please confirm the document.
Please read the important document.
See the file.
Requested file.
Authentication required.
Your document is attached to this mail.
I have attached your document.
I have received your document. The corrected document is attached.
Your document.
Your details.
Please confirm!
Please answer quickly!
Thank you for your request, your details are attached!
Thanks!
am shocked about your document!
Let'us be short: you have no experience in writing letters!!!
Try this, or nothing!
Here is it!
Do not visit this illegal websites!
You have downloaded these illegal cracks?
Here is my icq list.
Here is my phone number.
I have visited this website and I found you in the spammer list. Is that true?
Are you a spammer? (I found your email on a spammer website!?!)
po44u90ugjid-k9z5894z0
9u049u89gh89fsdpokofkdpbm3-4i
Please r564g!he4a56a3haafdogu#mfn3o
SMTP Error #201
See the ghg5%&6gfz65!4Hf55d!46gfgf
Server Error #203
Your photo, uahhhall. , you are naked!
You have written a very good text, excellent, good work!
Your archive is attached.
Monthly news report.
lovely, :-)
your big love, ;-)
I hope you accept the result!
The sample is attached!
Your important document, correction is finished!
Important message, do not show this anyone!
Here is the website. ;-)
My favourite page.
I have corrected your document.
I have attached the sample.
Your bill is attached to this mail.
You were registered to the pay system.
For more details see the attachment.
Binary message is available.
Message has been sent as a binary attachment.
Can you confirm it?
I have attached it to this mail.
Please read the attached file.
Your document is attached.
Encrypted message is available.
Protected message is attached.
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.
I noticed that you have visited illegal websites.
See the name in the list!

You have visited illegal websites.
I have a big list of the websites you surfed.

Your mail account is expired.
See the details to reactivate it.

Your mail account has been closed.
For further details see the document.

The file is protected with the password ghj001.
I have attached your file. Your password is jkl44563.

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

Greetings from france,
your friend.
Have a look at these.

Best wishes,
your friend.

Congratulations!,
your best friend.

I found this document about you.
I cannot believe that.

Try this game ;-)
I hope the patch works.
The end of the message may include the false information that the message has been scanned and flagged as clear by an antivirus product:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com


+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com


+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com


+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com


+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com


++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com


++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com


++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
There is a wide range of potential attachment names. The attached file often has a dual extension, with the first extension being .doc or .txt, and the second being one from the following list:
exe
pif
scr
zip
The worm is also able to send itself as a ZIP archive.
The worm does not send itself to addresses which contain any of the following:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The worm may send messages which contain the IFRAME Exploit, in the same way that Klez.h and Swen did. When this happens, if the message is viewed using a vulnerable mail client, the archive file containing the worm will be launched automatically.
Propagation via P2P
The worm creates multiple copies of itself in all subdirectories which contain any of the words from the following list:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
Files created by the worm will have names chosen from the following list:
Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.exe
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe
Other
If the worm finds the keys listed below in the system registry key
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
it will delete them.
Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe
It will also delete the keys
system.
Video
from
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
and the following key values, created by I-Worm.Bagle.
HKLMSYSTEMCurrentControlSetServicesWksPatch
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerPINF
HKCRCLSIDCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32

I-Worm.Netsky.r

Description I-Worm.Netsky.r

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file of approximately 26KB, packed using Petite, and written in Microsoft Visual C++.
Characteristics of infected messages:
Message header (chosen at random from the list below):
Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception
The recipient's address is also shown.
Message body (chosen and compiled from the list below):
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn't be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
The text below may also be used as the message body:
Or you can view the message at: www.[recipient domain]/inmail/
[recipient name]/mread.php?sessionid-[random value]
An example of how this text might appear in the message:
Or you can view the message at: www.[kaspersky.com]/inmail/[test]/mread.php?sessionid-[4321]
Attachment name (chosen at random from the list below):
data
mail
msg
message
A random number and extension will be added to the attachment names listed above.
The worm will be activated if the user launches the infected file by clicking twice on the attachment. The worm may also send messages which exploit a vulnerability where a MIME header is incorrectly processed. This vulnerability is described in Microsoft Security Bulletin MS01-020
The worm then installs itself on the systesm and starts propagating.
Installation
When installing, the worm copies itself under the name SysMonXP.exe to the Windows directory, and registers this file in the system registry. This ensures that the file will launch each time the system is started.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[SysMonXP=%windir%SysMonXP.exe]
It extracts a file named firewalllogger.txt from itself, and installs this to the Windows directory. When launching, the worm may open WordPad, and load a file to WordPad under the name tmp.eml.
It creates the mutex ""_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_" to flag its presence in the system. This prevents more than one copy of the worm from being launched.
The worm may also install additional copies of itself to the system under the following names:
base64.tmp
zippedbase64.tmp
zipo0.txt
zipo1.txt
zipo2.txt
zipo3.txt
Mass mailing
The worm searches for files with the extensions listed below:
a
ad
adb
as
asp
c
cf
cfg
cg
cgi
d
db
dbx
dh
dht
dhtm
do
doc
e
em
eml
h
ht,
htm
htmlj
js
jsp
m
mb
mbx
md
mdx
mh
mht
mm
mmf
ms
msg
n
nc
nch
o
od
ods
of
oftp
ph
php
pl
pp
ppt
r
rt
rtf
s
sh
sht
shtm
st
stm
t
tb
tbb
tx
txt
u
ui
uin
v
vb
vbs
w
wa
wab
ws
wsh
x
xl
xls
xm
xml


and harvests email addresses to send messages to. The worm uses its own SMTP library to send messages.
Other
The worm deletes the following keys from the Windows system registry:
Explorer
system.
msgsvr32
au.exe
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
Microsoft IE Execute shell
Winsock2 driver
ICM version
yeahdude.exe
Microsoft System Checkup
If the local system is showing a certain date, the worm will conduct DDoS attacks on the following sites:
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st

Home