Virus Database

BAT.Batalia3

Description BAT.Batalia3

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.
The virus contains two parts of code and data. The first part (the header) contains DOS commands:
@echo off
rem YYY
arj x %0 -g""bÑpß >nul
ren p Int
call i
ren Int a.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:
P, BATALIA3
The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file.
Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.
While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.n

Description I-Worm.Mydoom.n

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a PE EXE file of 35,328 bytes in size, packed using ASPack.
It is a copy of I-Worm.Mydoom.m, and differs only in the size of the file and the packing program used.

I-Worm.Mydoom.q

Description I-Worm.Mydoom.q

Mydoom.q is an Internet worm that spreads via an email attachment. It is written in C++ and packed with UPX. The compressed file size is 27136 bytes and unpacked - 65024.
Installation
Once Mydoom.q is launched it copies the main component into the Windows directory under the name rasor38a.dll and into the Windows system folder under the name winpsd.exe. Finally, Mydoom.q creates the following key in the system registry:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"winpsd"="<Windows System Folder >winpsd.exe"
Mydoom.q also creates a mutex named 43jfds93872 to prevent duplicate infections.
Propagation
Mydoom.q scans the infected machine for files with the following extensions:
txt
htmb
shtl
phpq
aspd
dbxn
tbbg
adbh
pl
wab
Email characteristics
Subject:
photos
Body text:
LOL!;))))
Attachment name:
photos_arc.exe
Payload
Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm:
http://www.richcolour.com/ispy.x.xxx
http://www.richcolour.com/coco3.xxx
http://www.richcolour.com/guestbook/temp/temp587.xxx
http://zenandjuice.com/guestbook/temp/temp728.xxx
If the backdoor is downloaded successfully, it is saved in the Windows directory under the name winvpn32.exe and then launched. A key is also created in the system registry signaling successful installation:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer]
"InstaledFlashhMX"="1"
Mydoom.q scans for this flag and stops attempting to download the Trojan once the flag is tagged '1'.
Other
Mydoom.q is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time).
However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.

Home