Virus Database

Poppy family

Description Poppy family

Poppy.513
It is a harmless memory resident parasitic virus. It copies itself to the Interrupt Vectors Table, hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus contains the text string:
STRONG.POPPY by VicodinES greetz to Klonopin.Jones

Poppy.535
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus does not manifest itself in any way, it contains the text strings:
VicodinES
Target.Poppy
Life is hard when your target is the poppy :)

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Myba

Description I-Worm.Myba

This is an Internet-worm spreading via e-mail, sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The worm itself is a Win32 application written in VisualBasic. The worm code seems to be based on the "I-Worm.LoveLetter" VBS worm (the worm's routines and their names look very similar to "Loveletter" ones), and its seems that this worm was created by adapting "Loveletter" VBS source to VisualBasic language.
When run (if a user clicks on an attached infected file), the worm sends its copies by e-mail, installs itself into the system and performs destructive actions.
The worm sends itself as e-mail messages with an attached EXE file, that is the worm itself.

The message appears a follows:
The Subject: My baby pic !!!
Message body: Its my animated baby picture !!
Attached file name: mybabypic.exe
Upon being activated by a user (by double clicking on an attached file), the worm opens MS Outlook, gains access to the Address Book, obtains all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
The worm also installs itself into the system. It creates its copies in the Windows system directory with the following names:
WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE
and registers in the Windows auto-run section in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunmybabypic = %WinSystem%mybabypic.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWINKernel32 = %WinSystem%WINKernel32.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices = %WinSystem%Win32DLL.exe
where %WinSystem% is the Windows system directory. As a result, the worm is re-activated each time Windows is booted up.
The worm also creates the following registry key:
HKCUSoftwareBugger
Default = HACK[2K]
mailed = %number%
where %number% is a number from 0 to 3 and depends on the process the worm is currently performing or has finished: installing, spreading, activating its payload routine.
The payload routine is rather large. Depending on the system date and time, the worm:
switches on/off NumLock, CapLock and ScrollLock keys
sends to keyboard buffer the following message:

.IM_BESIDES_YOU_
connects the http://www.youvebeenhack.com site and sends one of the texts to there:

FROM BUGGER
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER
The worm also corrupts and/or affects other files. It scans subdirectory trees on all available drives, lists all files there and depending on filename extension, performs one of the following actions:
VBS, VBE: the worm destroys these files' contents.
JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new file with an original filename plus the ".EXE" extension, and copies its body to there, and then deletes the original file; i.e., the worm overwrites these files with its code and renames them with ann EXE extension. For example, "TEST.CPP" becomes "TEST.EXE".
JPG, JPEG: the worm does the same as above, but adds an ".EXE" extension to the full file name (does not rename to ".EXE"). For example, "PIC1.JPG" becomes "PIC1.JPG.EXE".
MP2, MP3, M3U: the worm creates a new file with an ".EXE" extension (for "SONG.MP2", the worm creates the "SONG.MP2.EXE" file), writes its code to there and sets the file attribute "hidden" for the original file.

I-Worm.Mydoom.a

Description I-Worm.Mydoom.a
Also known as Novarg.
This worm spreads via the Internet in the form of files attached to infected messages. It also spreads via the file sharing network Kazaa. The worm itself is a Windows PE EXE file of 22528 bytes, compressed using UPX. The decompressed file is approximately 40KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the site www.sco.com on 1st February 2004.
Part of the body of the worm is encrypted.
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name taskmon.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System% askmon.exe"
The worm creates a file shimgapi.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"(Default)" = "%SysDir%shimgapi.dll"
Shimgapi.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Message in the temporary directory (usually in windir emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier SwebSipxSmtxSO.
Mailing of messages
When sending infected messages the worm uses its own SMTP engine. The worm attempts to connect directly to the recipient mail server.
In order to find email addresses to send infected messages to, the worm searches for files with the following extensions:
asp
dbx
tbb
htm
sht
php
adb
pl
wab
txt
and gathers email addresses found in these files. The worm ignores addresses with the suffix .edu.
Infected messages have the following characteristics:

Sender's address:
random
Message header: (chosen at random from the following list)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message body: (chosen at random from the following list)
test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.
Attachment name: (may be one word from the list below, or two words from the list below joined by an underscore)
document
readme
doc
text
file
data
test
message
body
The attachment may have one of the following extensions:
pif
scr
exe
cmd
bat
The worm may also send messages with a meaningless selection of characters in the message head, message body or attachment name.
Replication via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with the following extensions:
bat
exe
scr
pif
Other
Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet.
The worm also contains a function which enables it to carry out DoS attacks on the site www.sco.com. This function should activate on the 1st February and continue to work until 12th Febuary 2004. The worm will send a GET request every millisecond to port 80 of the site being attacked, which under the conditions of a global epidemic may lead to total breakdown of the site.

Home