Virus Database

Bagoes

Description Bagoes

It is not a dangerous memory resident boot virus. It hooks INT 13h, 17h and writes itself to the MBR of the hard drive and boot sector of floppy disks. While printing a text the virus replaces "R" and "r" letters with "L" and "l". The virus contains the text strings:
B.A.G.O.E.S
STMIK BUDI LUHUR
INDONESIA

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Challenge

Description I-Worm.Challenge

This worm spreads using MS Outlook Express 5. It appends itself to every message sent from an infected computer. The worm does not attach itself to messages as regular worms do, but instead embeds its body into a message as a script program in Visual Basic Script language. When an infected message is opened on a victim's computer, this program doesn't appear on the screen, but instead gains control and infects the system.
To break through MS Outlook Express security, the worm takes advantage of a security vulnerability that allows script code in HTML-based e-mail message access to ActiveX controls that should not be available in this context. Microsoft has released a patch that eliminates this security vulnerability. See http://www.microsoft.com/technet/securThisy/bulletin/MS00-075.asp for more information. We strongly recommend a user install the patch available there, protecting him/her against many script worms that use this vulnerability.
The worm infects computer it two steps:
The first step is when an infected message is displayed, and an embedded script program gets control. This creates a TEMP.HTA file with the worm's copy in a Windows startup folder. (This worm is more accurate in finding a Windows startup folder. Its method works in all Windows versions, as distinct in I-Worm.KakWorm).
The second step, since TEMP.HTA file is placed into the Windows startup folder, is that Windows runs it upon startup. The script in this file is created in the Windows system folder file FOLDER.HTML with the same script as was in the infected message, and then registers this file as a default signature file for MS Outlook Express 5. From this moment, all messages sent from a computer contain a signature with the worm's body, i.e., infected.

I-Worm.Chet.a

Description I-Worm.Chet.a

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.
The infected messages have following fields:
From: main@world.com
To: You
Subject: All people!!
Attach: 11september.exe
Body:

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ICQ1 = %SystemDir%synchost1.exe
The original file is then deleted.
Spreading
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.
To send infected messages the worm uses direct connection to SMTP server "mail.ru".
Other
The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:
connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru
They have following subjects:
message1: Otchet from user
message2: Otchet2 from user
The message body contains victim emails list and worm's EXE file full name.

Home