Virus Database

Qpa Family

Description Qpa Family

These are very dangerous nonmemory resident overwriting viruses. They search for .COM files, then overwrite them. While infecting a file the viruses store the original file's beginning to the filename.FB or filename.WIN file, but do not use these data in any way. The viruses display the message:
"Qpa.256": Insufficient system memory.
"Qpa.333,666": This program requires Microsoft Windows.

They also contain the texts:
"Qpa.256": Qpa-XX virus from FBIC:*.COM
"Qpa.333": Qpa-XX virus WIN
"Qpa.666": Qpa-XXI virus V1.0 from Q6.COM

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Paukor

Description I-Worm.Paukor

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 450Kb in length, and is written in Delphi. The worm has several components (main and additional) described below.
The infected messages have an attached FILES.EXE file (the worm itself), and have different text fields that are randomly selected by the worm from several variants (see below).
The first and last lines in the message body are:
first line in Body is randomly selected from "Hi!" or "Hello,"
the last line in Body is also randomly selected from empty line, or
"Regards,"
"Your friend,"
"Best Regards"
"Kind Regards"
and is completed with %UserEmailName% (user's display name in email messages)
The Subject and Body variants are:
Subject: Your loved one in indecent pictures :(
Body:
Hi! or Hello,
I'm sorry I have to send you these compromising pictures with the one you love, or you loved. You will know where they were taken as soon as you see them.
I' compressed it as a self extracting archive because I din't knew if you have WinZip. When you run it, it should display the extract dialog. I'm really sorry I had to be the one who told you about this.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Surprise for you!
Body:
Hi! or Hello,
I have a surprise for you. It's a electronic card made by myself :). It contains some graphics and sound and I had to compress it as self extracting archive. :))
I hope you like it, please see the attached file.
Regards, or Your friend, or Best Regards or Kind Regards
Subject: Pictures from the last party
Body:
Hi! or Hello,
Here are the pictures from the last party. Some of them are so funny! I compressed them as self extracting archive as they were too large, over 2.1 Mb! :))
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
Subject: No subject
Body:
Hi! or Hello,
Here are some files related to what we have talk about.
I made the archive self extracting, because I din't knew if you have WinZip. When you run it, it should display the extract dialog.
Please let me know what you think. :)
Regards, or Your friend, or Best Regards or Kind Regards
The worm is activated from an infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, drops additional components and runs a spreading routine.
Main Component
When the main worm component, FILES.EXE, is executed, the worm installs its other components in the system. These components are created in the Windows directory with the following names:
SYSTRAY.EXE - 66K of length
CWAB.EXE - 341K of length
MSP.DLL - 20K of length

All are Windows PE EXE files and are written in Delphi, as is the main worm file. The EXE files (SYSTRAY.EXE and CWAB.EXE) are executed then by the main worm component. The worm's main component then copies itself (the FILES.EXE file) to the Windows directory, displays a "decoy" message and exits. The message appears as follows:

The CWAB Component
This the worm component, that when run, spreads the worm with e-mail and sends e-mail with a keylog file to the worm host (with an e-mail address at @yahoo.com and @softhome.com).
While sending e-mails, the worm obtains a victim's e-mail addresses from the WAB (Windows Address Book) database, connects to a SMTP server, and sends infected e-mail messages.
This worm component is designed for being run only under the main FILES.EXE worm file. Being run as a stand-alone application, it simply displays the following fake message and exits:

The SYSTRAY and MSP Components
This is a "keylogger" worm component. When run, it registers itself in the registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
then activates the "key-logging" library MSP.DLL, which logs keyboard strokes to a MSP.DAT file in the Windows directory. This file is then sometimes sent to a host e-mail address.
This worm's component has the following "copyright" text strings in it:
PayK Worm
Copyright (c) 2001 by TheShadow
Disclamer: This program has been made for educational and research purposes only.

I-Worm.Peach

Description I-Worm.Peach

This internet worm spreads via e-mail messages and sends itself from infected PCs when it is activated. It uses Microsoft Outlook mailing system for sending itself to recipients, whose e-mails are stored in Outlook Address Book.
The worm is written in Visual Basic Script (VBS) programming language. It works only under operating systems with Windows Scripting Host installed (WSH is installed by default in Windows 98 and Windows 2000).
The worm uses a PDF file as a host. The virus code is included in that file as an embedded object, and the worm can be activated only manually.
When a PDF file is opened by the Adobe Acrobat program, (the worm doesn't work in Acrobat Reader), a user is offered to play a simple game, which is stored in an embedded object.
After the embedded object is activated, the Adobe Acrobat (http://www.adobe.com/acrobat) program extracts VBS code, writes it to a tempopary folder and launches it.
The virus code creates a JPG file on a disk and shows it using Internet Explorer.
Then, the worm tries to find its host PDF file on the disk, and if it finds the file, sends it to recipients specified in Outlook Address Book.
For sending itself, the worm randomly chooses an attachment name, message subject and body.
The message subject can contain the following strings:
"You have one minute to find the peach"
"Find the peach"
"Find"
"Peach"
"Joke"
The subject can also contain the "FW:" prefix and an exclamation mark at the end of it.
The message body is assembled from the following sentences:
"Try finding the peach"
"Try this"
"Interesting search"
"I don't usually send this things, butall"
The attachment name may be the following:
"find.pdf"
"peach.pdf"
"find the peach.pdf"
"find_the_peach.pdf"
"joke.pdf"
"search.pdf"
The worm uses a very complex algorithm for sending itself, sometimes resulting in the worm not sending itself at all.

Home