Virus Database

Shanghai_II.4077

Description Shanghai_II.4077

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. On GetDiskSpace DOS calls (INT 21h AH=36h) virus searches for files and infects them. The virus also looks for files C:COMMAND.COM, C:DOSCOMMAND.COM and infects them. The virus checks file names and do not infect files with names that are finished with strings:
K3 PC 50 SM TM EA
FRAG COPY HINA V200 CDEX PLUS PROX CPAV ETUP TTTT IVER
MAIN INIT 0001 OUND S4GW WAR2 RIAN PC43 KE3D ORUN WPS

On March, June, September and December 13th the virus erases the hard drive sectors and displays the message:
Shanghai No.1 2.0 PRO
Super Virus , designed by Microvirus , 09-13-1996 !

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sober.g

Description I-Worm.Sober.g

This worm spreads via email and file-sharing networks as an attachment to infected emails. It is written in Visual Basic and packed using UPX. The packed file is approximately 47KB in size, but may be slightly larger, as the worm may write random data to the end of the file.
Installation
The worm is activated when the file attached to the message is opened.
Once launched, the worm causes a fake error message to be displayed:
File not found
Special-UnZip Data-Module
is missing
Open with Notepad?
Yes No
If the user clicks Yes, the worm opens Notepad. The open Notepad window contains nonsense text. Mydoom used a similar diversionary trick.
The worm then creates a copy of itself in the Windows directory, saving it under a name chosen at random from the list below:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry auto-run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]" [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]"
The worm also creates a number of copies of itself and additional files and saves these under the following names in the Windows directory.
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
xdatxzap.zxp
datsobex.wwr
winzweier.dats
wincheck32.dats
winexpoder.dats
NoSpam.readme
Propagation
The worm searches local disks for files with the following extensions
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml


harvests email addresses, and then sends infected messages to these addresses. The worm connects directly to the SMTP server to send messages.
The headers and text of infected messages are in German or English. The headers and text are chosen and combined randomly from several dozen texts.
The attachment will have a .pif or .zip extension, with a random name.
Other
The worm has the ability to download and launch files from the following sites:
home.arcor.de
people.freenet.de
home.pages.at
scifi.pages.at
free.pages.at

I-Worm.Sobig

Description I-Worm.Sobig

Sobig is a worm virus spreading via the Internet as an attachment to infected emails. It also downloads and sets up a Backdoor program.
The worm itself is a Windows PE EXE file about 64 KB in length (when compressed by TeLock), and written in Microsoft Visual C++.
Infected messages have the following characteristics:
From:
big@boss.com

Subject: (one of the following)
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachment: (one of the following)
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

The worm activates from infected email only if a user clicks on the attached file. Once run it installs itself to the system, runs a spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory under the name WINMGM32.EXE and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

Spreading via E-mail
To send infected messages the worm uses the SMTP server. The worm looks for files with the following extensions - *.WAB, *.DBX, *.HTM, *.HTML, *.EML, *.TXT scans them for email strings.
Spreading via Local Network
The worm enumerates network shares and tries to copy itself to one of the following folders under the name WINMGM32.EXE.
WindowsAll UsersStart MenuProgramsStartUp Documents and SettingsAll UsersStart MenuProgramsStartup
Set-up for the Backdoor Program
The worm downloads a text file that contains a link to the executable PE file. The worm downloads it into the Windows directory under the DWN.DAT name and runs it.
The worm contains the following text strings:
B.ROOT-SERVERS.NET A.ROOT-SERVERS.NET
a+ %s
big@boss.com
[A-Za-z0-9]+[A-Za-z0-9_.-]+@(([A-Za-z0-9-])+[.])+[A-Za-z]+
*.* x: From <%s> "%s" To Subject Date %s %s %c%4.4d H:mm:ss ddd, d MMM yyyy Importance
Microsoft Outlook Express 6.00.2600.0000 X-Mailer Normal X-MSMail-Priority 3 (Normal)
X-Priority ; filename=" attachment inline Content-Disposition:
Content-Transfer-Encoding: %s ; name="%s" Content-Type: %s Content Type
application/octet-stream --%s --%s-- Content-ID: <%s> Content-Transfer-Encoding: ;
charset="%s" text/ Content-Type: -- --%s Content-Type: multipart/alternative;
boundary="%s" CSmtpMsgPart123X456_001_%8.8X %s This is a multipart
message in MIME format %s: %s Message-ID 1.0 MIME-Version " ;
boundary=" mixed alternative related multipart/
CSmtpMsgPart123X456_000_%8.8X Content-
Type = =%2.2X -;.,?! Encoding took %dms all 7bit 8bit
quoted-printable base64 SMTP tcp text/plain iso-8859-1 QUIT
EHLO %s %s Password: Username: AUTH LOGIN MAIL FROM: <%s> RCPT TO: <%s>.
DATA http://www.geocities.com/reteras/reteral.txt 0 Hello Attached
file: Movie_0074.mpeg.pif Document003.pif Untitled1.pif Sample.pif Re:
Movies Re: Sample Re: Document Re: Here is that sample 2003.1.23
Ret code: %d sntmls.dat dwn.dat r WindowsAll UsersStart
MenuProgramsStartUp Documents and SettingsAll UsersStart
MenuProgramsStartup $ @pager.icq.com mail@mail.com Notify
pager.icq.com start WindowsMGM
SOFTWAREMicrosoftWindowsCurrentVersionRun wab dbx htm html eml txt
Worm.X winmgm32.exe Worm.X

Home