Virus Database

QPHS.2931

Description QPHS.2931

It is not a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, hooks INT 9, 13h, 21h and stays memory resident. While infecting the hard drive the virus encrypts the original Partition Table. On reading the MBR the virus calls the stealth routine and returns the Partition Table in its original form.
While loading from infected MBR the virus hooks INT 8, 9, 12h, 13h, waits for DOS loading, and then hooks INT 21h. The virus uses INT 12h to hide itself in the system memory during the DOS installation procedure.
By hooking INT 21h the virus intercepts COM and EXE files opening, execution and searching. The virus writes itself to the end of the files on A: and B: drives only, and disinfects the infected files on other disks.
The virus pays special attention to the execution of LOGIN.EXE file, and saves the command line and entered from keyboard symbols during execution of LOGIN.EXE. By using that trick the virus allows to intercept login commands (user names and passwords).
The virus intercepts the symbols entered from keyboard. On entering the "QPHS" string the virus display the intercepted login commands. On entering the "PERFECT" string the virus disinfects itself in the MBR of the hard drive.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Thonic.b

Description I-Worm.Thonic.b

This worm spreads via the Internet as an attachment to infected files. The worm itself is a Windows PE EXE file. The body of the worm is encrypted and 7502 bytes in size.
The worm searches for PE files with the extensions .exe, .cpl, and .scr.
When infecting these files it writes itself to the end of the files in a section named .DCUbLmd
It does not infect already infected files.
The worm's code contains errors. It is unable to propagate independently.
A VBS script controls propagation via email. The script is 875 bytes in size, and saved as C:\cthonic.vbs
The executable file infects notepad.exe, and copies itself to the C: root directory as C:snowboard_accident.avi.[75 spaces]exe
It then executes the script to mail the file snowboard_accident.avi.[75 spaces]exe.
The worm contains the following text:
-=[YoG-SoTHoTH]=-
The Ancient Ones are near !!! Fear not these latter days of humanityall
Created by -=[YoG-SoTHoTH]=- on Sept2003
HEX EDITING BIATCHs.......FUCK OFF !!!
Win32.CthonicWorm.1a by -=[Azag-TH0TH]=-
It changes the system registry
[SOFTWAREMicrosoftWindowsCurrentVersionRun]
to ensure that the body of the worm is launched every time the system is started.
Infected messages:
Subject:
Hey check out this funny video my friend sent me !
Message body:
Mail Body
Attachment name:
C:snowboard_accident.avi.[75 spaces]exe
The worm is activated when the user launches the infected file by clicking twice on the attachment. Once this is done, the executable system files will be infected.
The worm uses Windows MAPI function to send messages.
Mass mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.
It also propagates via mIRC.

I-Worm.Timofonica

Description I-Worm.Timofonica

This Internet worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses stored in the MS Outlook Contacts List.
The worm is written in the scripting language "Visual Basic Script" (VBS). It works only on computers in which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Outlook versions is installed.
When run, the worm sends its copies by e-mail and drops a Trojan program.
Spreading
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message contains the following:
The Subject:
TIMOFONICA
Message body:
Es de todos ya conocido el monopolio de Telefónica pero no tan conocido los métodos que utilizó para llegar hasta este punto. En el documento adjunto existen opiniones, pruebas y direcciones web con más información que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc. También habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales. Explica también el por qué del fracaso en Holanda y qué hizo para adquirir el portal Lycos. En las direcciones web del documento existen temas relacionados para que echéis un vistazo a los comentarios, informes, documentos, etc. Como comprenderéis, esto es muy importante, y os ruego que reenviéis este correo a vuestros amigos y conocidos.
Attached file name:
TIMOFONICA.TXT.vbs
Depending on the system settings, the real extension of the attached file (".vbs") may not be shown. In this case, a filename of the attached file is displayed as "TIMOFONICA.TXT".
Being activated by a user (by double clicking on the attached file), the worm opens MS Outlook, gains access to the Address Book, retrieves all of the addresses, and sends messages with its attached copy to all of them. The message subject, body, and attached file name are the same as above.
In addition, in each sent infected message, the worm sends another message to a randomly generated (numeric) address at the host "correo.movistar.net", for example "639867159@correo.movistar.net". The message contains the following:
Subject:
TIMOFONICA
Body:
informa que: Telefónica te está engañando.
In actuality, the "correo.movistar.net" is an SMS gate that sends SMS messages to phone numbers. The number is the prefix of the e-mail address in the message.
As a result, the worm tries to spam people with SMS messages. The worm sends as many SMS messages to random selected numbers as there are e-mails stored in the address book (the worm sends an SMS message per each infected e-mail message), also installing a Trojan program.
Installing a Trojan program
To install the Trojan program to the system, the worm creates a "Cmos.com" file in the Windows system directory, and writes a code (that stored in worms body) into the file. The worm then registers this file in the system registry in the auto-run section:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunCmos = Cmos.com
During the next Windows startup, the Trojan takes control, erases the CMOS information, and corrupts the information on the local disks.
The worm creates the file "C:TIMOFONICA.TXT" with the following content:
Comentarios
all. Tarifa plana de 6000 pts/mes. Extorsiºn. A principio de 1.998 tras un seguimiento de su gestiºn se descubrieron numerosas irregularidades en su gestiºn, amparadas hasta el momento, en el desconocimiento que nosotros tenýamos sobre Internet. Compras de materiales, que nunca apareciº por ning·n lado, pero si la factura del proveedor. .... Yo pienso que si Timofonica (ke a fin de kuentas es la due¸a de Terra) kiere soltar dineros para una ONG, no le hace falta hacer este tipo de acto solidario, es mas, me parece misero y ridikula la kantidad de un millon de pesetas .. Son unos ridikulos de mierda, un millon de pesetas para ellos no es nada, pero un millon de hits en sus paginas mas a final de mes supone una peke¸a subidita en las acciones de Terra en Bolsa. Total, ke Terra no son las Hermanitas de los Pobres (pobres monjas, kompararlas kon los chupasangres de Timofonica), NI NOSOTROS SEMOS GILIPOLLAS !!! Podran decir ke estamos obsesionados, ke tamos en kontra de Timofonika, ke protestamos por vicio, PERO ES KE EN 3 ATOS KE LLEVO EN INET SOLO LA HAN KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE LO GANAN A PULSO !! Lo dicho , todo lo ke g#ele a Telefonica SUX, o en castellano tradicional , APESTA ! ....
Direcciones
http://www.telefonica.es/
http://www.timofonica.com/
http://100scripts.islaweb.com/scripting-timofonica.html
http://www.www2.labrujula.net/wwwboard/messages2/1165.html
http://www.tinet.org/mllistes/pc/September_1998/msg00005.html
http://area3d.area66.com/forotec/_disc1/0000015b.htm
http://wwh.itgo.com/Phreaking.htm
http://www.rcua.alcala.es/archives/ham-ea/msg00780.html
http://www.areas.org/debate/dp/2/messages/18.html
http://www.fut.es/mllistes/parlem/January_1999/msg00208.html

Visita estas pñginas. Estñs inivitado.
Then, the worm modifies system registry to display this file content (in Notepad window) instead of run any VBS file.
To restore normal functionalty for VBS files association you may run in Command Prompt window following instruction:
WSCRIPT //H:WSCRIPT

Home