Virus Database

Puf.581

Description Puf.581

It is a dangerous nonmemory resident parasitic virus. It searches for COM files except COMMAND.COM, then writes itself to the end of the file. On December, 30th it overwrites the AUTOEXEC.BAT with the instructions:
@echo off
echo PUFessional Anti-Windows Virus v1.2
PUFAWV12.COM

Then the virus creates the PUFAWV12.COM file and writes to there a program that halts the computer. The virus then reboots the computer.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.a

Description I-Worm.Mydoom.a
Also known as Novarg.
This worm spreads via the Internet in the form of files attached to infected messages. It also spreads via the file sharing network Kazaa. The worm itself is a Windows PE EXE file of 22528 bytes, compressed using UPX. The decompressed file is approximately 40KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the site www.sco.com on 1st February 2004.
Part of the body of the worm is encrypted.
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:

During installation, the worm copies itself under the name taskmon.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System% askmon.exe"
The worm creates a file shimgapi.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"(Default)" = "%SysDir%shimgapi.dll"
Shimgapi.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Message in the temporary directory (usually in windir emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier SwebSipxSmtxSO.
Mailing of messages
When sending infected messages the worm uses its own SMTP engine. The worm attempts to connect directly to the recipient mail server.
In order to find email addresses to send infected messages to, the worm searches for files with the following extensions:
asp
dbx
tbb
htm
sht
php
adb
pl
wab
txt
and gathers email addresses found in these files. The worm ignores addresses with the suffix .edu.
Infected messages have the following characteristics:

Sender's address:
random
Message header: (chosen at random from the following list)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message body: (chosen at random from the following list)
test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.
Attachment name: (may be one word from the list below, or two words from the list below joined by an underscore)
document
readme
doc
text
file
data
test
message
body
The attachment may have one of the following extensions:
pif
scr
exe
cmd
bat
The worm may also send messages with a meaningless selection of characters in the message head, message body or attachment name.
Replication via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with the following extensions:
bat
exe
scr
pif
Other
Shimgapi.dll is a proxy-server; the worm opens a TCP port between 3127 and 3198 on the infected machine in order to receive commands. The backdoor function allows the creator of the worm to gain full access to the system. In addition to this, the backdoor can execute random files downloaded from the Internet.
The worm also contains a function which enables it to carry out DoS attacks on the site www.sco.com. This function should activate on the 1st February and continue to work until 12th Febuary 2004. The worm will send a GET request every millisecond to port 80 of the site being attacked, which under the conditions of a global epidemic may lead to total breakdown of the site.

I-Worm.Mydoom.aa

Description I-Worm.Mydoom.aa

This worm is a modification of Mydoom.a. It spreads via the Internet as an attachment to infected emails and via the Kazaa file-sharing network.
The worm itself is a PE EXE file which is 51712 bytes in size, packed using UPX.
The worm is only activated if the user opens the archive and launches the infected file by doubling clicking on the attachment. The worm will then install itself on the system and commence its propagation routine.
The worm contains a backdoor component.
Installation
When installing, the worm copies itself under the name avpr.exe to the Windows system directory, and registers this file in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"Avpr"="%System%avpr.exe"
This ensures that the worm will be launched every time the machine is rebooted.
The worm creates a file named tcp5424.dll in the Windows system registry. This file is the backdoor component, and it is also registered in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"Default"="%SysDir% cp5424.dll"
This ensures that the DLL will be launched as an Explorer.exe child process.
The worm creates several additional key values in the system registry to flag its presence in the system:
[HKLMSoftwareMicrosoftWindowsDdinfect]
[HKCUSoftwareMicrosoftWindowsDdinfect]
And also creates the unique identifier 'My-Game' in memory.
The worm substitutes its own file for the the standard 'hosts' file in the Windows directory. This means that users of infected machines will be unable to access the following domains:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
The worm creates a file named msg15.txt in the Windows system directory which contains the following text:
Lucky's Av's ;P~. Sasser author gets IT security job and we will work with Mydoom , P2P worms and exploit codes .Also we will attack f-secure,symantec,trendmicro,mcafee , etc. The 11th of march is the skynet day lol . When the beagle and mydoom loose, we wanna stop our activity <== so Where is the Skynet now? lol.
This Will Drop W32.Scran P2P Worm
The worm also attempts to download a file named 'scran.jpg' from a specific site and to save it in the C: root directory under the name 'Scran.exe'. This file is Worm.P2P.Scranor.a, another network worm.
Mass mailing
The worm's mass mailing function is almost identical to that of Mydoom.a.
The message body is composed of three parts, which are chosen at random from the three groups listed below.
Daily Report.
here is the document.
Important Information.
Reply
your document.

Details are in the attached document.
Kill the writer of this document!
Monthly news report.
Please answer quickly!.
Please confirm!.
Please read the attached file!.
Please see the attached file for details.
Please see the attached file for details Check the attached document.
See the attached file for Waiting for a Response. Please read the attachment.

+++ AntiVirus - www.f-secure.com Norton AntiVirus - www.symantec.com
+++ AntiVirus - www.kaspersky.com Panda AntiVirus -
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com Bitdefender AntiVirus -
+++ www.bitdefender.com MC-Afee AntiVirus - www.mcafee.com Kaspersky
+++ www.pandasoftware.com Norman AntiVirus - www.norman.com F-Secure
Backdoor
'tcp5424.dll', which is installed by the worm, is a backdoor. The worm opens TCP port 5424 to receive commands.
Payload
The worm searches the system registry for the 'ICQ Net' and 'MsnMsgr' values and deletes them.

Home