Virus Database

Salman.2000

Description Salman.2000

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for EXE files, then writes itself to the end of the file. The virus does not infect the files: SCAN.EXE, CLEAN.EXE, NAV.EXE, PACRUN.EXE. The virus deletes the files: CHKLIST.MS, CHKLIST.CPS, C:SIGNTURE.DAT. The virus displays the message:
Kill Salman Rushdie and Taslima Nasrin !

It also contains the text:
Kill them !!!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Fix2001

Description I-Worm.Fix2001

This is a virus-worm that spreads via the Internet. It works similar to the "Happy99" worm: it installs itself into the system, hooks the Internet access Windows functions, obtains Internet addresses to where it sends its copies. The worm has bugs and replicates under Win9x only, not under WinNT.
The worm appears as a "Fix20001.Exe" file attached to an e-mail message. The message has the subject "Internet problem year 2000." and the message text is written in two languages: English and Spanish:
Estimado Cliente:
Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Año 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.
Internet Customer:
We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM
If you are using another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.
Thanks.
Administrator.

The worm also contains text strings that are used to generate and send attached data in an e-mail message, as well as the texts:
RCPT TO:
@hotmail.com>
@ciudad.com.ar>
Fix2001
THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN.
PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.

Installation
The attached file (the worm itself) is a Windows executable file about 12Kb in length. When executed, it installs itself into the system Windows directory with the FIX2001.EXE name and registers itself in the "Run=" system registry key to activate its copy upon each Windows restart:
HKEY_LOCAL_MASHINESoftwareMicrosoftWindowsCurrentVersionRun
Fix2001 = "FIX2001.EXE"

The worm then displays the following fake message to hide its activity:

Spreading
Upon being run from the installed FIX2001.EXE copy, the worm registers itself as a system-service process (to hide its window and stay active upon user logoff) with the "AMORE_TE_AMO" identification Window's headline; gains access to the WSOCK32.DLL Internet connection library; obtains addresses for "connect" and "send" functions; patches them with call instructions to the worm's hookers; and stays in the Windows memory as hidden applications.
When the Internet connection is activated, the worm scans data that is sent and received, obtains Internet addresses from there, and sends infected messages to these addresses.
Payload
The worm has a very dangerous payload that is activated when the text strings in the worm's body are patched or corrupted (this is possible, because the data are transferred via Internet channels). In this way, the worm overwrites the C:COMMAND.COM file with a DOS Trojan that upon the next computer reboot, erases all data on the hard drive.

I-Worm.Fizzer

Description I-Worm.Fizzer

Fizzer is an Internet worm that spreads via e-mail messages and KaZaa shared directories. It also contains "backdoor" remote access features.
Installation
When the worm is launched, it creates the following files in the Windows directory:
iservc.exe (copy of the worm) initbak.dat (copy of the worm) ProgOp.exe (worm's component) iservc.dll (keylogger library used by the worm) iservc.klg (contains logged keystroke data)
The worm also writes a registry key to start itself automatically when Windows starts:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun SystemInit=(Windows directory path)iservc.exe
Under Windows NT/2000/XP the worm is able to create a system service, but this ability is disabled by its author.
It also registers as a default handler for files with the ".TXT" extension - resulting in the worm being executed when such files are opened.
Replication: KaZaa
The worm copies itself to the KaZaa download directory with random filenames.
Replication: E-mail
The worm uses its own SMTP engine to send out its copies. The destination e-mail addresses are randomly generated or extracted from the Outlook and Windows address books.
Infected messages have various selected subjects, bodies, and attachment names. They are generated from several large string lists. For example:
Subject: Re: ;( Attachment: desktop.exe Body: you must not show this to anyoneall Subject: Re: I think you might find this amusing... Attachment: Logan6.exe Body: Let me know what you think of this... Subject: Fwd: why? Attachment: Taylor83.com Body: Today is a good day to die...
Backdoor routine: IRC
The worm contains a list of IRC channels it tries to connect to in order receive remote access commands from an attacker.
Backdoor routine: Other
The worm starts HTTP and telnet-like servers and binds them to pre-configured ports to provide remote access to the computer.
Other
The worm captures all keystrokes and writes them to the file named "iservc.klg" in the Windows directory. It also tries to download and install its updated version from a geocities user page. The worm tries to terminate processes that contain the following strings in their names:
ANTIV AVP F-PROT NAV NMAIN SCAN TASKM VIRUS VSHW VSS
Most options, like registry key names, IRC and SMTP server names, port numbers and action sequences are pre-configured in a special data file that is encrypted and stored in the worm EXE file's resources.

Home