Virus Database

QPHS.2931

Description QPHS.2931

It is not a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, hooks INT 9, 13h, 21h and stays memory resident. While infecting the hard drive the virus encrypts the original Partition Table. On reading the MBR the virus calls the stealth routine and returns the Partition Table in its original form.
While loading from infected MBR the virus hooks INT 8, 9, 12h, 13h, waits for DOS loading, and then hooks INT 21h. The virus uses INT 12h to hide itself in the system memory during the DOS installation procedure.
By hooking INT 21h the virus intercepts COM and EXE files opening, execution and searching. The virus writes itself to the end of the files on A: and B: drives only, and disinfects the infected files on other disks.
The virus pays special attention to the execution of LOGIN.EXE file, and saves the command line and entered from keyboard symbols during execution of LOGIN.EXE. By using that trick the virus allows to intercept login commands (user names and passwords).
The virus intercepts the symbols entered from keyboard. On entering the "QPHS" string the virus display the intercepted login commands. On entering the "PERFECT" string the virus disinfects itself in the MBR of the hard drive.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sober.f

Description I-Worm.Sober.f

This worm spreads via email as a file attached to infected messages. It also spreads via file-sharing networks. It is written in Visual Basic and packed using UPX. The packed file is approximately 40KB in size (this may vary slightly). The unpacked file is approximately 140KB in size.
Infected messages
Infected messages have a random message header and contain random text. The name of the attachment will also vary, but will have the extension .pif or .zip. An sample infected message is shown below.
Message header:
Connection failed
Message body:
I hope you accept the result!
Follow the instructions to read the message.
Please read the document
Attachment name:
your_passwords.pif
Installation
The worm is activated if the user opens the attached file. Once the worm is launched, it opens Notepad which will display the text contained in the original message.
The worm then creates a copy of itself in the Windows system directory under a random name chosen from the following list:
sys
host
dir
explorer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry autorun key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"<random key name7gt;" = "%System%<worm name>"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
"<random key name>" = "%System%<worm name> %1"
The worm creates several copies of itself and its additional files in the Windows system directory under the following names:
bcegfds.lll
spoofed_recips.ocx
syst32win.dll
winsys32xx.zzp
winhex32xx.wrm
zmndpgwf.kxx
zhcarxxi.vvx
Propagation
The worm searches disks for any files with the following extensions:
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
It harvests email addresses, and sends email messages to these addresses by creating a direct connection to the SMTP server.
The worm uses one of the names below as the sender's name:
Webmaster
Fehler-Info
Administrator
RobotMailer
AutoMailer
Register
Service
Info
Passwort
Kundenservice
Liste
Schwarze-Liste
Information
Administrator
Webmaster
Home
Register
Service
Info
admin
Error_Info
RobotMailer
AutoMailer
User-info
account
webmaster
It may use the recipient's domain name, or one of the domains below:
abuse.de
yahoo.com
yahoo.de
gmx.de
gmx.net
web.de
freenet.de
lycos.de
Message header (chosen at random from the list below):
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
Na, uberrascht?!
Info
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
Fehler in E-Mail
Bestatigung
Registrierungs-Bestatigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn!
Well, surprised?
Info
Information
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connection failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document
Message-ID
The message body may include text from the paragraphs listed below:
Ich war auch ein weniguberrascht!
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann

Alles klaro bei dir?
Schau mal was Ich gefunden habe!

Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye

Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passworter rauszubekommen!!!
Passwoerter.txt

Details entnehmen Sie bitte dem Attachment
Nahere Informationen befinden sich im Anhang.

*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte uberprufen Sie nochmals diese E-Mail auf mogliche Fehlerquellen.
attach: AMD-System.txt
* End Transmission
Virenschutz
--- Web: http://
--- Mail To: User-Hilfe

Passwort und Benutzername wurde erfolgreich geandert
Ihre Benutzernamen und Passworter befinden sich im Anhang dieser E-Mail
++++ Im www erreichbar unter: http://
++++ E-Mail: KundenInfo

Wegen eines Datenbank- Fehlers konnte es moglicherweise zu einem Verlust Ihrer
personlichen Daten wie Kennworter gekommen sein.
Wenn Sie Unregelma?igkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank fur Ihr Verstandnis
+++ Ein Service von
+++ http://
+++ E-Mail: Kundenservice

Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:

I was surprised, too! :-(
Who could suspect something like that?

All OK :)
see, what i've found!

hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye

I 've told you!:-) sometime I grab your passwords!

I hope you accept the result!
Follow the instructions to read the message.
Please read the document

Registration confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://
++++ Mail To: User-info

*** Auto Mail Delivery System ***
_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_ or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission
The original message is a separate attachment.
--- Web: http://
--- Mail To: User-Hilfe

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of
+++ http://
+++ Mail: home

The message has been attached.

Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha

Anybody use your accounts!
For further details see the attachment.

I have received your document. The corrected document is attached.
greets
Attachment name (chosen at random from the following):
Oh-Mann
Dokument
KurzText
AntiVirus-Text
Anleitung
Passwoerter.txt
Text-Inhalt
AMD-System.txt
Benutzer-Daten
Datenbank-Fehler
abuse-liste
schwarze-listen
Block-Lists
anitv_text
instructions
your_article
your_passwords
messagedoc
corrected_text-file
attach-message
-attachment
_attach
pass-message
text
Textdocument

I-Worm.Sober.g

Description I-Worm.Sober.g

This worm spreads via email and file-sharing networks as an attachment to infected emails. It is written in Visual Basic and packed using UPX. The packed file is approximately 47KB in size, but may be slightly larger, as the worm may write random data to the end of the file.
Installation
The worm is activated when the file attached to the message is opened.
Once launched, the worm causes a fake error message to be displayed:
File not found
Special-UnZip Data-Module
is missing
Open with Notepad?
Yes No
If the user clicks Yes, the worm opens Notepad. The open Notepad window contains nonsense text. Mydoom used a similar diversionary trick.
The worm then creates a copy of itself in the Windows directory, saving it under a name chosen at random from the list below:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry auto-run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]" [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]"
The worm also creates a number of copies of itself and additional files and saves these under the following names in the Windows directory.
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
xdatxzap.zxp
datsobex.wwr
winzweier.dats
wincheck32.dats
winexpoder.dats
NoSpam.readme
Propagation
The worm searches local disks for files with the following extensions
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml


harvests email addresses, and then sends infected messages to these addresses. The worm connects directly to the SMTP server to send messages.
The headers and text of infected messages are in German or English. The headers and text are chosen and combined randomly from several dozen texts.
The attachment will have a .pif or .zip extension, with a random name.
Other
The worm has the ability to download and launch files from the following sites:
home.arcor.de
people.freenet.de
home.pages.at
scifi.pages.at
free.pages.at

Home