Rider.577
Description Rider.577
It is a dangerous nonmemory resident parasitic encrypted virus. It searches for COM files and writes itself to the end of the file. It deletes the files: C:COMMAND.COM C:DOSCOMMAND.COM C:IO.SYS C:MSDOS.SYS
It contains the text strings: The iNFiLtRAtOR Virus by The Dark Rider from Norway-93 *.COM
Check other viruses! Be aware! Use Antiviral Software
I-Worm.Mydoom.q
Description I-Worm.Mydoom.q
Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024. Installation Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] "winpsd"="<Windows System Folder >winpsd.exe" Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections. Propagation Mydoom.q scans the infected machine for files with the following extensions: txt htmb shtl phpq aspd dbxn tbbg adbh pl wab Email characteristics Subject: photos Body text: LOL!;)))) Attachment name: photos_arc.exe Payload Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm: http://www.richcolour.com/ispy.x.xxx http://www.richcolour.com/coco3.xxx http://www.richcolour.com/guestbook/temp/temp587.xxx http://zenandjuice.com/guestbook/temp/temp728.xxx If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer] "InstaledFlashhMX"="1" Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'. Other Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time). However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.
I-Worm.Mydoom.t
Description I-Worm.Mydoom.t
Mydoom.t is an Internet worm that spreads via an email attachment. It is packed with UPX; the unpacked size is about 34 KB and the compressed size is about 18 KB. The worm is activated only if users double click on the infected attachment, whereupon the worm installs itself into the system and launches propagation routintes. Installation Mydoom.t copies itself into the Windows system folder under the name windrv32.exe. This file is then registered in the following autorun registry key: [HKLMSoftwareWindowsCurrentVersionRun] "WinSPF"="%SysDir%windrv32.exe" Mydoom.t also creates the mutex WWWWDefaceDWWW to identify itself in the system. Infected email characterics Sender name Is either spoofed from the local address book on the infected machine or composed from the following components in random combinations: first name: last name:
Alex Alexander Andrew Anthony Barry Bernard Bill Brian Calvin Carl Charles Christopher Clifford Daniel David Dennis Donald Douglas Edward Eric Francisco Frank Gary George Gregory Harold Henry James Jason Jay Jeffrey Jerry Jim John Jon Jose Joseph Joshua Kenneth Kevin Larry Leon Leroy Lloyd Marcus Mario Mark Matthew Michael Micheal Miguel Oscar Patrick Paul Peter Randall Raymond Richard Ricky Robert Ronald Ronnie Scott Stephen Steven Theodore Thomas Timothy Tom Tommy Troy Walter William Adams Allen Anderson Baker Brown Campbell Carter Clark Cruz Davis Freeman Garcia Gomez Gonzalez Green Hall Harris Hernandez Hill Jackson Johnson Jones King Lee Lewis Lopez Marshall Martin Martinez Miller Mitchell Moore Murray Nelson Ortiz Parker Perez Phillips Porter Roberts Robinson Rodriguez Scott Simpson Smith Stevens Taylor Thomas Thompson Tucker Turner Walker Webb Wells White Williams Wilson Wright Young
sender domain Chosen at random from: aol.com dailymail.co.uk gmx.net hotmail.com mail.com t-online.de yahoo.co.uk Subject Chosen at random from: hello here Hi! important Information my News Notice again Private document Re: Hello Re: Hi Re: Message Re: Proof of concept Re: Question Re: Status Re: Your document read it immediately Thank you! thanks! You win! Body text Chosen at random from: apply patch. apply this patch! Can you confirm it? For further details see the attachment. For more details see the attachment. fun game! fun photos fun! game I have attached document. lol! Monthly news report. New game Please answer quickly! Please confirm the document. Please confirm! Please read the attached file! Please read the attached file. Please read the document. Please read the important document. Please see the attached file for relax screensaverlol! See attached file for details. See the file. See the file. Thanks! Thanks! Virus removal tool Waiting for a Response. Please read the attachment. You are infected by virus. Run this exe Your archive is attached. Your requested mail has been attached. Attachment name Chosen at random from: antivirus.exe bill.zip data.zip details.zip doc.zip doc.zip document.zip file.exe file.zip fun.scr game.exe info.zip information.zip letter.zip lol.scr message,.zip new.exe new.zip patch.exe photo.exe pic.exe report.zip bill.doc .pif bill.rtf .pif bill.txt .pif doc.doc .pif doc.rtf .pif doc.txt .pif document.doc .pif mesg.doc .pif mesg.rtf .pif mesg.txt .pif Message.html .pif rep.txt .pif report.doc .pif report.rtf .pif report.txt .pif review.doc .pif review.rtf .pif review.txt .pif Signature Based on the following pattern: +++ Attachment: No Virus found +++ %s Where "%s" is chosen at random from: Bitdefender AntiVirus - www.bitdefender.com F-Secure AntiVirus - www.f-secure.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com MessageLabs AntiVirus - www.messagelabs.com Norman AntiVirus - www.norman.com Norton AntiVirus - www.symantec.de Panda AntiVirus - www.pandasoftware.com Propagation Mydoom.t harvests addresses from the local address book and scans the machine for files with the follwoing extensions: asp cfg cgi dbx dht eml htm jsp mht msg php sht stm tbb txt uin vbs wab xls
This Mydoom variant spreads by connecting directly to potential victim SMTP servers by constructing SMTP server names based on domain names it harvests from the infected machine. Other Mydoom.t contains a downloader function that attempts to download Backdoor.Win32.Surila from the following sites: http://vugs.geog.uu.nl http://www.ach.ch http://www.hiw.kuleuven.ac.be http://www.llc.unibo.it http://www.mercyships.de http://www.planetboredom.net http://www.surrenderzeeland.nl Mydoom.t contains the follwoing message from the coders: We searching 4 work in AV industry.
|
Home
Viruses from A to Z 0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Helgrilling Babykläder Property In Prague Database Indexing Hjemmeside
|