Virus Database

Pdp Family

Description Pdp Family

These are very dangerous memory resident parasitic viruses. They hook int 21h and infects COM and EXE files that are accessed ("Pdp.822" infects COM files only). Being executed these viruses try to infect C:COMMAND.COM file. They contains the text strings:
PDP11
C:COMMAND.COM
AID,VIR,DINF,CHK,TEST,AUR,PAV,NAV,-V,SENT,ASM,SCAN,LEAN,ANT,SAFE,BOOT,STRA,

The last string contains the names of the programs that are deleted by the virus when they are executed.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Masana

Description I-Worm.Masana

I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 107Kb in size - ASPack compresses it, the decompressed size is about 138Kb, written in Delphi.
Infected messages contain the following:

Another variant is the same subject and body as above but in Russian.

The worm activates from infected email only when a user clicks on the attached file. The worm then installs itself into the system, runs its spreading routine and payload.
The worm has bugs in its code; as a result some of its routines don't work.
Installing
While installing the worm copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry (under Windows NT) or in the SYSTEM.INI (under Windows 9x) auto-run keys:
SYSTEM.INI
[boot]
shell=Explorer.exe msys32.exe -dontrunold

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Run as Administrator

Under Windows NT systems the worm gains Admin privileges. To do this the worm uses a breach in Windows NT security (so-called DepPloit exploit).
The Masana worm creates two additional files on disk that manage the exploit:

ERunAsX.exe
ERunAsX.dll

The worm then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
Spreading
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:

looks for *.HTM* files and extracts email-like strings
by using Windows MAPI functions it reads all unread messages from the Inbox and answers them.
Each time Masana is run it also sends infected message to the masyana@nm.ru address. This message looks as follows:
Subject: Masyanya!
Body: gygygy!
Attach: Masyanya.exe

Payload
On Mondays the worm starts a DoS (Denial of Service) attack on kavkaz.org.
Other
This worm also:

disables the MS Outlook Express 5.0 MAPISendMail warning.
adds to the system the user named masyanechkaa with Admin privileges (under Windows NT) I-Worm.Masana also contains the text string:

I-Worm.Masyanya v1.0 8) Just a hello-world wormall
The worm also creates an additional registry key that indicates the system is already infected:

HKCUEnvironmentID = 1

I-Worm.Matcher

Description I-Worm.Matcher

This is an Internet worm spreading via e-mail attached as an EXE file. The worm itself is a Win32 executable file about 30Kb in length, written in Visual Basic.
The worm seems to be based on the "Melissa" macro-virus worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source.
When the worm EXE file is being run from an attachment, it sends infected messages and registers itself in a system to run each time Windows starts up.
To spread from an infected computer, the worm uses MS Outlook by obtaining addresses from the MS Outlook Address Book and sends messages there.
The message Subject, Body and Attachment appear follows:
Subject: Matcher
Body: Want to find your love mates!!! Try this its coolall Looks and Attitude Maching to opposite sex.
Attach: matcher.exe

To install into a system, the worm copies itself to the Windows system directory with the MATCHER.EXE name, and registers this file in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
%SystemDir%matcher.exe
where %SystemDir% is the name of the Windows system directory.
The worm also adds to the end of C:AUTOEXEC.BAT the commands:
@echo off
echo from: Bugger
pause
These commands display the "from: Bugger" message when system is booting up and processes the AUTOEXEC.BAT.

Home