Virus Database

Rider.577

Description Rider.577

It is a dangerous nonmemory resident parasitic encrypted virus. It searches for COM files and writes itself to the end of the file. It deletes the files:
C:COMMAND.COM
C:DOSCOMMAND.COM
C:IO.SYS
C:MSDOS.SYS

It contains the text strings:
The iNFiLtRAtOR Virus by The Dark Rider from Norway-93
*.COM

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.q

Description I-Worm.Mydoom.q

Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024.
Installation
Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"winpsd"="<Windows System Folder >winpsd.exe"
Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections.
Propagation
Mydoom.q scans the infected machine for files with the following extensions:
txt
htmb
shtl
phpq
aspd
dbxn
tbbg
adbh
pl
wab
Email characteristics
Subject:
photos
Body text:
LOL!;))))
Attachment name:
photos_arc.exe
Payload
Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm:
http://www.richcolour.com/ispy.x.xxx
http://www.richcolour.com/coco3.xxx
http://www.richcolour.com/guestbook/temp/temp587.xxx
http://zenandjuice.com/guestbook/temp/temp728.xxx
If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer]
"InstaledFlashhMX"="1"
Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'.
Other
Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time).
However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.

I-Worm.Mydoom.t

Description I-Worm.Mydoom.t

Mydoom.t is an Internet worm that spreads via an email attachment. It is packed with UPX; the unpacked size is about 34 KB and the compressed size is about 18 KB.
The worm is activated only if users double click on the infected attachment, whereupon the worm installs itself into the system and launches propagation routintes.
Installation
Mydoom.t copies itself into the Windows system folder under the name windrv32.exe. This file is then registered in the following autorun registry key:
[HKLMSoftwareWindowsCurrentVersionRun]
"WinSPF"="%SysDir%windrv32.exe"
Mydoom.t also creates the mutex WWWWDefaceDWWW to identify itself in the system.
Infected email characterics

Sender name
Is either spoofed from the local address book on the infected machine or composed from the following components in random combinations:
first name:
last name:

Alex
Alexander
Andrew
Anthony
Barry
Bernard
Bill
Brian
Calvin
Carl
Charles
Christopher
Clifford
Daniel
David
Dennis
Donald
Douglas
Edward
Eric
Francisco
Frank
Gary
George
Gregory
Harold
Henry
James
Jason
Jay
Jeffrey
Jerry
Jim
John
Jon
Jose
Joseph
Joshua
Kenneth
Kevin
Larry
Leon
Leroy
Lloyd
Marcus
Mario
Mark
Matthew
Michael
Micheal
Miguel
Oscar
Patrick
Paul
Peter
Randall
Raymond
Richard
Ricky
Robert
Ronald
Ronnie
Scott
Stephen
Steven
Theodore
Thomas
Timothy
Tom
Tommy
Troy
Walter
William
Adams
Allen
Anderson
Baker
Brown
Campbell
Carter
Clark
Cruz
Davis
Freeman
Garcia
Gomez
Gonzalez
Green
Hall
Harris
Hernandez
Hill
Jackson
Johnson
Jones
King
Lee
Lewis
Lopez
Marshall
Martin
Martinez
Miller
Mitchell
Moore
Murray
Nelson
Ortiz
Parker
Perez
Phillips
Porter
Roberts
Robinson
Rodriguez
Scott
Simpson
Smith
Stevens
Taylor
Thomas
Thompson
Tucker
Turner
Walker
Webb
Wells
White
Williams
Wilson
Wright
Young


sender domain
Chosen at random from:
aol.com
dailymail.co.uk
gmx.net
hotmail.com
mail.com
t-online.de
yahoo.co.uk
Subject
Chosen at random from:
hello
here
Hi!
important
Information
my
News
Notice again
Private document
Re: Hello
Re: Hi
Re: Message
Re: Proof of concept
Re: Question
Re: Status
Re: Your document
read it immediately
Thank you!
thanks!
You win!
Body text
Chosen at random from:
apply patch.
apply this patch!
Can you confirm it?
For further details see the attachment.
For more details see the attachment.
fun game!
fun photos
fun!
game
I have attached document.
lol!
Monthly news report.
New game
Please answer quickly!
Please confirm the document.
Please confirm!
Please read the attached file!
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for relax
screensaverlol!
See attached file for details.
See the file.
See the file.
Thanks!
Thanks!
Virus removal tool
Waiting for a Response. Please read the attachment.
You are infected by virus. Run this exe
Your archive is attached.
Your requested mail has been attached.
Attachment name
Chosen at random from:
antivirus.exe
bill.zip
data.zip
details.zip
doc.zip
doc.zip
document.zip
file.exe
file.zip
fun.scr
game.exe
info.zip
information.zip
letter.zip
lol.scr
message,.zip
new.exe
new.zip
patch.exe
photo.exe
pic.exe
report.zip
bill.doc .pif
bill.rtf .pif
bill.txt .pif
doc.doc .pif
doc.rtf .pif
doc.txt .pif
document.doc .pif
mesg.doc .pif
mesg.rtf .pif
mesg.txt .pif
Message.html .pif
rep.txt .pif
report.doc .pif
report.rtf .pif
report.txt .pif
review.doc .pif
review.rtf .pif
review.txt .pif
Signature
Based on the following pattern:
+++ Attachment: No Virus found
+++ %s
Where "%s" is chosen at random from:
Bitdefender AntiVirus - www.bitdefender.com
F-Secure AntiVirus - www.f-secure.com
Kaspersky AntiVirus - www.kaspersky.com
MC-Afee AntiVirus - www.mcafee.com
MessageLabs AntiVirus - www.messagelabs.com
Norman AntiVirus - www.norman.com
Norton AntiVirus - www.symantec.de
Panda AntiVirus - www.pandasoftware.com
Propagation
Mydoom.t harvests addresses from the local address book and scans the machine for files with the follwoing extensions:
asp
cfg
cgi
dbx
dht
eml
htm
jsp
mht
msg
php
sht
stm
tbb
txt
uin
vbs
wab
xls


This Mydoom variant spreads by connecting directly to potential victim SMTP servers by constructing SMTP server names based on domain names it harvests from the infected machine.
Other
Mydoom.t contains a downloader function that attempts to download Backdoor.Win32.Surila from the following sites:
http://vugs.geog.uu.nl
http://www.ach.ch
http://www.hiw.kuleuven.ac.be
http://www.llc.unibo.it
http://www.mercyships.de
http://www.planetboredom.net
http://www.surrenderzeeland.nl
Mydoom.t contains the follwoing message from the coders:
We searching 4 work in AV industry.

Home