Virus Database

Raiden.1433

Description Raiden.1433

It is not a dangerous memory resident multipartite virus. When an infected file is executed, the virus infects the MBR of the hard drive. While loading from infected MBR the virus hooks INT 13h, 1Ch, 4Fh, waits for DOS loading process and hooks INT 21h. By hooking INT 21h the virus intercepts EXE files execution and opening, and writes itself to the end of the file. By hooking INT 13h the virus intercepts accessing to infected MBR and calls stealth routine.
In some cases (depending on the command line) the virus disinfects the host file. On INT 4Fh AX=666h calls the virus displays the message:
+---------------------------------------+
¦ MBR VIRUS V.01 NECROSOFT CORPORATION ¦
¦ WRITEN BY RAIDEN COPYRIGHT (C) 1996 ¦
+---------------------------------------+

Check other viruses! Be aware! Use Antiviral Software

I-Worm.PrettyPark

Description I-Worm.PrettyPark

This is a virus-worm that spreads via the Internet. It appears as a PrettyPark utility attached to an e-mail. Being executed, it installs itself into the system, then sends infected messages (with its attached copy) to addresses listed in Windows Address Book, informs a user on some IRC channel about system settings and passwords, and also may be used as a Backdoor.
The worm itself is Windows PE executable file about 37Kb in length. This file is compressed by a WWPack32 utility. Being unpacked, it appears to be a 58Kb EXE file written in Delphi, the "pure" code in the file occupies just about 45Kb. In spite of this short size for a Delphi application, the worm has many features that make it a very dangerous and fast spreading program.
When the worm is executed in the system for the first time, it looks for its copy that has already been installed in the system memory. The worm does this by looking for an application that has the "#32770" window caption. If there is no such window, the virus registers itself as a hidden application (not visible in the task list) and runs its installation routine.
While installing into the system, the worm copies its file to the Windows system directory with the FILES32.VXD filename and registers it in the system registry to be run each time any other application starts. The virus does that by creating a new key in the HKEY_CLASSES_ROOT, the key name is exefileshellopencommand, and it is associated with the worm copy with the FILES32.VXD file that was created in the Windows system folder. This file has a .VXD extension, but it is not a VxD Win95/98 driver, but, rather, a "true" Windows executable.
In case of error while installing, the worm activates the SSPIPES.SCR screen saver (to hide its activity?). If there is no such file found, the worm tries to activate the Canalisation3D.SCR screen saver.
The worm then initiates a socket (Internet) connection and runs its routines that are activated: the first one once per 30 seconds, and the other once per 30 minutes.
The first of these routines, each time when it is activated, tries to connect some IRC chat (see the list below) channel, and, by special requests, send a message to a user on these channels. In this way, the worm's author seems to catch affected stations to monitor them. The list of IRC servers the worm tries to connect is as follows:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

Being recognized by the host (virus author), the worm may be manipulated as a Backdoor Trojan horse. By a set of commands, it sends a system configuration, a disk list, directories info, as well as confidential information to the remote host: Internet access passwords and telephone numbers, Remote Access Service login names and passwords, ICQ numbers, etc. The backdoor also is able to create/remove directories, send/receive files, delete and execute them, etc.
The second routine, which is activated once per 30 minutes, opens the Windows Address Book file, reads Internet addresses from there, and sends a message to them. The message can be sent not only to private e-mail addresses, but to Internet conferences also, depending on the Address Book contents only. The message Subject field contains the text:
C:CoolProgsPretty Park.exe

The message itself contains nothing but an attached copy of the worm.

I-Worm.Prolin (a.k.a. Creative)

Description I-Worm.Prolin (a.k.a. Creative)

This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 37Kb in length, and written in VisualBasic. The worm uses a standard MW97_Melissa-like way of spreading: it opens the MS Outlook address book, obtains addresses from there, and sends its copies to these addresses. The message reads as follows:
Subject: A great Shockwave flash movie
Message text:
Check out this new flash movie that I downloaded just now all It's Great
Bye
Attach name: creative.exe

The worm then sends a "notification" message to its author and informs him about the next infected computer:
To: z14xym432@yahoo.com
Subject: Job complete
Message text: Got yet another idiot

The worm also creates its copies on the C: disk with the following names:
C:creative.exe
C:WINDOWSStart MenuProgramsStartUpcreative.exe
The second copy is placed in the auto-run directory so it will be activated upon each Windows restart.
The worm has a dangerous payload. It scans all disk drives, obtains ZIP, MP3, and JPG files, and renames them to C: drive with the following name:
C:\%victimfile%change atleast now to LINUX
for example, BGAMEX.JPG and DATA.ZIP are moved to:
C:BGAMEX.JPGchange atleast now to LINUX
C:DATA.ZIPchange atleast now to LINUX
The worm also creates the text file "c:messageforu.txt", writes the text there and adds list of removed files, such as the following:
Hi, guess you have got the message. I have kept a list of files that I
have infected under this. If you are smart enough just reverse back the
process. i could have done far better damage, i could have even
completely wiped your harddisk. Remember this is a warning & get it sound
and clear... - The Penguin
C:WINDOWSSYSTEMOOBEIMAGEXBGAMEX.JPG
C:BACKUPDATA.ZIP

Home