Virus Database

PeaceKeeper

Description PeaceKeeper

It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 13h, 21h and writes itself to the end of COM and EXE files that are executed. While infecting a COM file the virus inserts into the file several parts of junk code that pass control from first part till the virus body decryptor (see "Bomber" virus). By hooking INT 13h the virus randomly disables writing to disk (the data can be lost). It randomly overwrites the disk sectors with the program which displays:
Peace-Keeper Virus V2.10 Written by Doctor Revenge 18-May-1994 , Italy

It contains the text strings:
EXECOMSCCLVIVSMSCPF-IMVHTB
[MCG v0.31ß]

The first string is used when the virus infects the files, it checks the file name extension with COMEXE string, and does not infect the files with the names from rest of string (two letters per name - SC*.*, CL*.* and so on).

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Kadra

Description I-Worm.Kadra

This is a Win32 PE EXE worm that spreads in e-mail messages using a system's default MAPI client. When started, it copies itself to %WINDOWS%Win32Dlw.EXE and %SYSTEM%Win32Exp.EXE, then writes the following key to the registry to start automaically with Windows: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun RunExplorer=%SYSTEM%Win32Exp.EXE
If the current month is Semptember, the worm draws the following message on the screen:
Kad sve izgleda da umire,allono se ustvari radja!
Then, the worm shows a message box with a '...' title and the following text:
Moja jutra su sve jasnija,
Moja snaga je prodornija,
Moje rijeci silno odjekuj
Moj mac je ostriji,
Moje noci su sve hladnije.
...ali dan je blizi kad ce
ljudi shvatiti da su samo,
i nista drugo nego ono sto
sam i JA!

After displaying a message, the worm does nothing for 2 minutes, and then sends itself to all senders of e-mail messages stored in the default MAPI client inbox.
All messages sent by the worm have the following properties:

Message subject is: Bin Ladenov zivot.
File attached: Bin Ladenov Zivot.exe
Message body: Ako jos do sada niste znali ko je Bin Laden onda vjerovatno cete naci ovaj dokument interesantnim u kojem je prikazano nekoliko vaznih momenata u, u njegovom zivotu, cak dok je jos radio pri CIA!

I-Worm.Kelino

Description I-Worm.Kelino

This worm virus spreads via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file with a length of about 12Kb, written in Assembler.
The infected messages have different data depending on the worm version:
From (two variants):
"Microsoft Support"
"Microsoft HelpBoard"

Subject: Support Message
Body (first variant):
During the last time, many bugs were found in our software. Because
of our product philosophie, we want to give our custumers as much security
as possible. So we decided to send out to all known Microsoft custumers the
NetBios patch Version 1.0 . This patch will fix all the known and possibly unknown
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get an OK message box.
Thanx for using Microsoft products.

Your Microsoft Support Team

Body (second variant):
During the last time, some bugs were found in our software. Because
of our product philosophy, we want to give our customers as much security
as possible. So, we decided to send out to all known Microsoft custumers the
Security patch Version 1.0 . This patch will fix all the
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get a confirmation message box.
Thank you for using Microsoft products.

Your Microsoft Support Team

Attachment:
netbiospatch10.exe
secpatch10.exe

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory with one of the following names (depending on worm version):
netbiospatch10.exe
secpatch10.exe

and registers its copy in the system registry auto-run key (depending on worm version):
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
netpatch = netbiospatch10.exe
secpatch = secpatch10.exe

The worm then displays a fake error message:
KERNEL32 ERROR
Couldn't execute frame buffer!

Spreading
To send infected messages the worm gets email addresses from WAB database and connects to default SMTP server.
The worm also sends notification message with empty body to its author:
From: "Kelaino"
To: kelaino@freenet.de
Subject: Slave Message

Home