Virus Database

Tadpole.2792

Description Tadpole.2792

This is a relatively harmless memory resident parasitic virus. It hooks INT 21h and 2Fh, and writes itself to the end of COM and EXE files that are executed. Starting from the 28th of any month, this virus also hooks INT 8 and 9, the keyboard is not active for several minutes, and the virus displays a message and launches a draft image of a tadpole running on the screen. The message appears as follows:
PHILIPPINES 2000, Greetings!
This tadpole lurks behind your empty mindall
It wriggles thru your brain just to remind:
You ought to have a sense of real concern
On virus strains that plagued, you've got to learn.
What have you done to clean this dirty world?
Have you taken steps on bogus softwares sold?
What have you done to lethal engineers
Who did create those worms and viral smears?
This tadpole lurks behind your empty mind...
If you've done nothin' you will surely find:
This tadpole leaps out of you brainless fools!
To breed a million more of wriggling--- TADPOLES...
Soon, silicon-based artificial life-forms will rule this organic world...
The creator will disavow any knowledge of my actions.
(Sgd) CCCv (c) Outlawed Technology Section, CCC CompE... Hail U.C.!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Magistr.a

Description I-Worm.Magistr.a

This is a very dangerous memory resident Win32 worm combined with virus infection routines. It spreads via the Internet with infected e-mails, infects Windows executable files on an infected machine (local machine), and is able to spread itself over a local network.
The virus has an extremely dangerous payload, and depending on different conditions, it erases hard drive data, CMOS memory and Flash memory in the same way the Win95.CIH(aka Chernobyl) virus does.
The virus contains the following "copyright" text in its body:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler. written in Malmo (Sweden)
The virus itself is about 30Kb in length and is written in Assembler, being very large for a virus written in pure Assembler language. This large size however is caused by the virus' Win32 EXE files infection algorithm, e-mail and network spreading routines, polymorphic engines (there are two), payload routines and many anti-debugging and other tricks used by the virus to make its detection and disinfection more difficult. Thus, this virus is one of the most complex viruses that are known at the moment.
The virus was found in-the-wild in the middle of March 2001.
Infected File Run
When the virus is run (from an infected message, for example, if a user clicks on an infected attachment), it installs itself as memory resident in Windows memory, then runs in the background, lies dormant for few minutes and runs its routines: local and network Win32 EXE files infection, e-mail spreading, etc.
To install itself as memory resident, the virus gains access to the EXPLORER.EXE process memory (the EXPLORER.EXE program image that is actually run and active in Win32 memory), patches it with a short 110-byte "loader" routine that runs the main virus code in EXPLORER's memory. So, the virus installs itself as memory resident as a component of the EXPLORER.EXE process, and then operates in the background (being run as EXPLORER's thread). Before running its routines, the virus lies dormant for 3 minutes.
The virus then obtains a file (usually the first file) in the Windows directory, infects it and registers this file in the Windows auto-run Registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRun and in WIN.INI file in the [windows] section in the "run=" instruction. So, the virus code is activated upon each Windows restart.
This file is infected so that the host program is not activated after the virus is run (control is not returned to the host program, and an infected application just exits). Thus, the virus activates itself from the system Registry or from a WIN.INI file without any side effects (as an unasked-for application run upon each Windows start-up).
The virus then runs its infection routines, scanning directories and available drives for Win32 PE .EXE and .SCR files and infecting them. First of all, the virus tries WINNT, WINDOWS, WIN95 and WIN98 directories and infects files in there. This routine is randomly activated in 3 out of 4 times.
Next, the virus scans all local drives and infects files in them.
The virus then enumerates network resources that are shared for full access, looks for WINNT, WINDOWS, WIN95, and WIN98 directories in there, and infects files in these directories. The virus also registers itself in there by writing a "run=" instruction to a WIN.INI file. Thus, remote Win9x systems are infected upon the next Windows start-up.
While processing the drives, the virus creates a special .DAT file for its own use. The file name and location depends on the network name of the current machine, for example:
Machine name File name

WIN98 -> CQL98.DAT
PUPKIN -> JEJOQL.DAT
CS-GOAT -> WG-SKYF.DAT

This file is created in the Windows directory, or in the ProgramFiles directory, or in the root directory of the C: drive, or in the root directory of the system drive.
Infecting Files
The virus infects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with a polymorphic engine and writes this to the end of the file. To gain control upon infected-file start-up, the virus patches a victim-program entry code with one more polymorphic routine that passes control to the end of the file to the main encrypted virus code.

The virus infection routine has bugs, and in some cases, it corrupts files while infecting. These files are not disinfectable and should be deleted.
E-mail spreading
To send infected e-mails, the virus reads e-mail client settings for three clients from the system registry that is installed:
Outlook Express
Netscape Messenger
Internet Mail and News
The virus then scans the e-mail database files and obtains e-mail addresses from there and sends its copies there.
The Subject is empty or randomly constructed from words and sentences that are found in .DOC and .TXT files in the system (the virus also scans local drives for these files and obtains texts from there). Also in a random manner, the virus uses words and sentences from the following list:
sentences you ayant délibéré
sentences him to le présent arrêt
sentence you to vu l',27h,'arrêt
ordered to prison conformément à la loi
convict exécution provisoire
, judge rdonn
circuit judge audience publique
trial judge a fait constater
found guilty cadre de la procédure
find him guilty magistrad
affirmed apelante
judgment of conviction recurso de apelaci
verdict pena de arresto
guilty plea y condeno
trial court mando y firmo
trial chamber calidad de denunciante
sufficiency of proof costas procesales
sufficiency of the evidence diligencias previas
proceedings antecedentes de hecho
against the accused hechos probados
habeas corpus sentencia
jugement comparecer
condamn juzgando
trouvons coupable dictando la presente
à rembourse los autos
sous astreinte en autos
aux entiers dépens denuncia presentada
aux dépens

While looking for .DOC files in the system, the virus can obtain an MS Word document file instead of a "pure" text file, thus, it is possible the the "Subject" field will contain "garbage" - random letters that the virus obtains from the binary structure of MS Word documents.
The messages may have no body (no text in the message), or randomly constructed as well as a Subject (see above).
The Attached file name variable. The virus looks in the system for a PE .EXE or .SCR file of up to 132K in length, infects it and attaches to the message.
In some cases, the virus fails to infect the file, and an "infected" e-mail message exits a computer without an infected .EXE or .SCR file.
In one out of five cases, the virus also attaches a .DOC or .TXT file that has been found in the system while the virus was scanning files for Subject and MessageBody texts. So, a randomly selected .DOC or .TXT file may escape fromthe system, possibly causing the disclosure of confidential information.
All in all, the message the virus sends out of an infected PC contains the following:
"strange" or empty Subject and message body
.EXE or .SCR file (infected or clean)
that is possible the message also have second attached file - .DOC or .TXT
While sending infected messages, the virus connects to one of three e-mail servers using SMTP protocol, and sends messages to there.
In 4 out of 5 cases, the virus randomly corrupts a second letter in the sender name.
The virus stores ten e-mail addresses of already infected users (a history of spreading - the 10 most recent e-mail addresses the virus spread from) in its body. While spreading, the virus compares a victim's e-mail address with this list, and does not send messages to addresses that are already infected.
As a side effect, it is possible to reconstruct the "virus spreading history" - from whence it has spread, and which computers were infected.
Payload
Depending on its internal counters, the virus runs itself by: gaining access to the Windows desktop and not allowing for mouse-access to the icons on the desktop. When the mouse cursor is moved to an icon, the virus moves the icon away from the cursor, appearing as though the desktop icons are trying to "escape" the mouse cursor.

One month after infecting the computer, the virus runs its payload routine that overwrites all disk files with the text "YOUARESHIT" on all local and network drives. Under Win9x, the virus also erases CMOS, Flash and hard drive data.
The virus then displays the message:
Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT

I-Worm.Magistr.b

Description I-Worm.Magistr.b

This is an improved version of the original "Magistr" email worm and Win32 PE EXE files infector.
The differences are:
The payload routine is imoroved by another branch that will overwrite a WIN.COM file in the Windows directory and an NTLDR file in the C: root directory with a program that erases hard drive data upon start-up. This is done for local and for network shared drives as well.
While infecting a local file, this virus encrypts an entry routine with a key that depends on the computer's name. This causes infected-machine disinfection to be much more difficult.
To spread via e-mail, the worm also looks for Eudora email data as well.
While infecting network drives the worm looks for more Windows directories names:
WINNT
WINDOWS
WIN95
WIN98
WINME
WIN2000
WIN2K
WINXP
The worm copy is then registered in WIN.INI and SYSTEM.INI files in the following sections:
WIN.INI: Windows Run
SYSTEM.INI: boot shell
The worm looks for GIF files, and can send GIF images out of the computer, as well as clean DOC files (as the original version does).
The worm destroys .NTZ files each time if such files are located. It also attempts to terminate the ZoneAlarm firewall if it is installed, but fails and ZoneAlarm continues to protect the machine.

Home