Virus Database

Pro-Alife.3423

Description Pro-Alife.3423

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. When a program is terminated, it displays one of the messages:
Kill an evil satanic ANTI-VIRAL product for Jesus today!
Stop Disinfectants NOW!
Ain't aLife A Beautiful Choice?
And God Said, "Let There Be Life!", and there wasall..
Save the Viruses! They're People Too!!!!
PRO-aLIFE and PROUD! STOP THE VIRUS KILLERS! HALT THE AV!
STORM THE COMPU-CLINICS! DON'T LET THEM KILL THE VIRUSES!!!
Operation Rescue-II, Save the HELPLESS UNBORN Viruses!!!

When the anti-virus programs are executed:
F-PROT.EXE TBSCAN.EXE TBAV.EXE TBCLEAN.EXE SCAN.EXE CLEAN.EXE VIRSTOP.EXE
MSAV.EXE VSAFE.EXE CPAV.EXE FSP.EXE VDEFEND.EXE

the virus overwrites them with the trojan program that displays being executed:
Eddie Lives, Somewhere in time! ____________ 1704 Jerusalem
Casino :( ;( =( Smeg off! _____ ____ Frodo Lives! APRIL FOOLS!
Get a late pass! Datacrime _______________ Brain Void-Poem
Your PC is now STONED! __ OO _____ O _ Copy me, I want to travel!
1,000,000,000 Viruses DIED Today!
And yesterday, and more will die tomorrow!
_/\_STOP THE KILLING!_/\_
Look What You're Doing To Them!
Below is an aborted virus... Support PRO-aLIFE Activism!
This program has been TERMINATED by the Virus Survival Underground Movement.
It had long stood as a horrible BABY VIRUS KILLER, and had to be removed.
Life, What a Beautiful Choice (tm).
--==___[OPERATION RESCUE II - SAVING THE BABY VIRUSES!]___==--
Thank you for choosing life over destruction.
Have a Nice Day (tm).

"Pro-Alife.3423.b" displays the messages:
THE PREDATOR presents the J.TTPOG Virus (c) 1996 SWEDEN!!!!!
THE PREDATOR presents the _ _ _
J.TTPOG VIRUS (c) 1996/03/15 _ _ _
SWEDEN _____ _
And says _ _ _ _ _ _

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mimail.p

Description I-Worm.Mimail.p

This worm spreads via the Internet in the form of files attached to infected messages.
The worm is a Windows PE EXE file of 57888 bytes.
Contents of infected messages:
Sender:
donotreply@paypal.com
Message header:
"GREAT NEW YEAR OFFER FROM PAYPAL.COM!"
Message text:
*** GREAT NEW YEAR OFFER FROM PAYPAL.COM ***


Dear PayPal.com Member,

We here at PayPal.com are pleased to announce that we have a special New Year offer for you! If you currently have an account with PayPal then you will be eligible to receive a terrific prize from PayPal.com for the New Year. For a limited time only PayPal is offering to add 10% of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!

If at this time you do not have a PayPal account of your own you can also register yourself with our secure application and get this great New Year bonus! If you fill out the secure form we have provided PayPal will create an account for you (it's free) and you will receive a confirmation e-mail that your account has been created.

That's not all! If you resend this letter (with its attachment) to all of your friends you may be eligible to receive another New Year bonus because the 1000 PayPal members that send the most of these to their friends will get the bonus. If you are one of these 1000 lucky members then PayPal will add 17% of your total balance to your account!

Registration is simple. Just unpack the attachment with WinZip, run the application, and follow the instructions we have provided. If you have problems opening the application then you may want to try downloading a free version of WinZip from http://www.winzip.com

Do not miss your chance at this fantastic opportunity! Thousands of our current customers have already received their prizes and now it's your turn; so hurry up and take advantage of this special offer!

Best of luck in the New Year,
PayPal.com Team
Attachment name:
pp-app.zip
The worm is activated only when the user opens the archive and runs the infected file. When this is done, the worm installs itself to the system, and begins replicating.
Installation
The worm copies itself to the Windows system directory under the name 'Winmgr.32.exe' and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinMgr32" = "%Windir%winmgr32.exe"
In the C: root directory the worm creates the following files: "index.hta", "index2.hta", "tmpcan3.txt" and "tmpny3.txt" which are used by the dialogue boxes.
The worm also creates the files
zipzip.tmp
ee98af.tmp
in the Windows directory.
How the worm sends mail
To send infected messages the worm uses its own SMTP library. In order to send messages directly to the recipient's smtp server, the worm makes use of DNS server 212.5.86.163
To find email addresses to send messages to, the worm looks for address lines which contain the following suffixes:
.ca
.au
.uk
.us
.edu
.gov
.mil
.de
.it
.ru
.fr
.info
.org
.net
.com
@email.msn.com
@prodigy.net
@safe-mail.net@excite.com
@zwallet.com
@erols.com
@bigpond.com
@usa.net
@bigfoot.com
@bellsouth.net
@attglobal.net
@att.net
@attbi.com
@email.it
@lycos.com
@sbcglobal.net
@shaw.ca
@themail.com
@verizon.net
@yahoo.com
@msn.com
@mail.com
@hotmail.com
@earthlink.net
@aol.com
but does not search for addresses in files with the following extensions: jpg, gif, exe, dll, avi, mpg, mp3, vxd, ocx, psd, tif, zip, rar, pdf, cab, wav, com.
Other information:
When executed, the worm displays a dialogue box on screen which asks for PayPal credit card details. Data entered is stored in 'c: mpny3.txt' and is then sent on to the author of the worm.



The worm opens port 5555 to listen for commands.
In a similar way to versions Mimail.a,Mimail.b and Mimail.c, the worm is able to steal information from E-Gold users. The worm also sends its author the following information about the infected system:
Account Name
POP3 Password2
POP3 Server
POP3 User Name
NNTP Server
NNTP User Name
SMTP Server
SMTP Display Name
SMTP Email Address
SMTP Organization Name
RAS Information
INETCOMM Server Passwords
The worm changes the home page in Internet Explorer to a link containing pictures of George Bush: http://www.anvari.org/db/fun/World_Trade_Center/Bush_Monkey.jpg.

I-Worm.Mimail.q

Description I-Worm.Mimail.q
This is an encoded email worm from the Mimail family. It spreads via the Internet in the form of files attached to infected messages. Mimail.q has 2 components: a dropper and the worm itself. The dropper file has a unique encryption key in every message.
Dropper
The dropper is a Windows PE EXE file of approximately 32KB. It contains the main component of the worm, a file named 'outlook.exe' in compressed form.
On launching, the following fake error message is displayed:

The program copies itself to the Windows directory under the name sys32.exe and registers this file as a key in the system registry to enable auto-run
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"System" = "%Windir%sys32.exe"
The program then extracts the file outlook.exe, the main component of the worm, which is copied to the Windows directory. The dropper is able to encode its body when launching, and therefore the code of all attachments sent from the computer during the current Windows session will be identical. After Windows has been restarted, the encryption key changes to a new one.
Main component
This is a Windows PE EXE file of approximately 50KB. It sends the dropper via email, contains a backdoor function, and is able to steal information.
It creates a number of keys in the Windows system registry, in order to identify its own presence in the computer:
SoftwareMicrosoftWindowsCurrentVersionExplorer
Explorer2
Explorer3
Explorer4
Explorer5
Explorer
When searching for email addresses to send infected messages to, the worm does not scan files with the following extensions: .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg and .bmp Email addresses found in other files are saved to the file outlook32.cfg and infected messages are sent to these addresses. The contents of infected messages vary, being composed using a range of parameters, e.g.

Sender's address:
[random]
Message header:
very cool picture only for you
Message body:
Good evening my dearest [random name],
I wondered
My brother had best sex I ever seen last night togather with the boss of [random name] %-)
I switched on my samsung camera and make excellent images!
Please don't show pictures to your bro, okay?
or another example:
Message header:
sexy photo
Message body:
Good evening Lora
I shocked
My brother had best sex last evening with the sister of Jim %-)))
But I turned on panasonic cam and create good pictures %-)
And do not show photos anybody else, I trust you.
Attachment name:
prv_photos.gif.pif (random)
Size of attachment:
32KB
The worm uses its own SMTP engine to send infected messages. To send messages directly to the recipient's smtp server, the worm uses DNS server 212.5.86.163, as does Mimail.p
Other
The worm has a backdoor function, which opens TCP port 667 to receive commands.
It launches the command shell cmd.exe on port 3000 in order to receive and execute commands.
It attempts to open ports 80, 1433, and 1434, and if these attempts are successful, it sends information to:
advokat_2000@mail15.com
with the messages:
mssql2 open
and
mssql open
It also attempts to connect to www.google.com and if this attempt is successful, it sends information to:
hodorkovsky@mail15.com
avp@mail15.com
Additionally, if a connection to www.google.com is established, the worm launches the function which enables it to steal information from PayPal users, in exactly the same way as I-Worm.Mimail.p does. Information gathered is sent to the following addresses:
kaspersky_av@mail15.com
kasperskyeee@mail15.com
kaspersky_av@hotbox.ru
kaspersky_eee@pochta.ru
Eugene.Kaspersky@gmx.net
boris@berezovsky.cjb.net
just-for-fun@ziplip.com
In exactly the same way as Mimail.a, Mimail.b, Mimail.c and Mimail.p, the worm is able to steal user information from users of the E-Gold payment system.
The information gathered is saved in c: mpgld.txt and sent to addresses from the list below:
E.Kaspersky@gmx.net
kaspersky_eugene@hotbox.ru
kaspersky_eugene@mail15.com
eugene@kaspersky.com
The worm also contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
visit our friendly site www.blackgate.us

Home