Virus Database

Taurus Family

Description Taurus Family

These are nonmemory resident parasitic viruses. They search for .COM files and writes itself to the end of the file. They contain the text string:
TAURUS (C) Prymityw 0.3

Depending on the system date "Taurus.1852" infects the files either with its complete copy, or with the copy of the "Taurus.358" virus, or drops a trojan horse.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Duksten.a

Description I-Worm.Duksten.a

Duksten.a is a worm virus spreading via the Internet in ZIP files attached to infected emails. The worm itself is a Windows PE EXE file about 10KB in length encrypted. In infected messages the attachment is a ZIP archive named SKUDO.ZIP that has the worm copy w_skudo.exe stored in it.
The infected messages have an empty body and fthe following fields:
From: "ISP_Tecnico"< skudo@iris.es >
Subject: NetsKudo,proteccion IP para Windows9x/Me/Nt/2000/XP
Attach: SKUDO.ZIP

The worm activates from infected emails only if a user clicks on the attached file and extracts the EXE file from the ZIP archive, and runs it. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows system directory with the name NetSkudo.exe and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
XRF = %SystemDir%NetSkudo.exe

Spreading
To get victim email addresses the worm opens the WAB (Windows Address Book) database and reads emails from there. To send infected messages the worm uses a direct connection to the default SMTP server.
There are several bugs in its email spreading routines so the worm will have problems spreading to "true" SMTP servers that follow email and transfer standards (RFC standards).
While sending infected emails the worm also creates the following files in Windows system directory:
mWAB.XRF - this file contains victim email(s)
mBase64.xrf - worm's ZIP file in MIME form
program.zip - worm's ZIP file

While storing itself in the ZIP archive the worm uses a "stored" compression method (i.e. "do not compress" method).
Other
The worm also tries to infect other PE EXE files found on the hard drive of infected machines but fails because of a bug.

I-Worm.Duksten.b

Description I-Worm.Duksten.b

Duksten.b (aka Protex) is a worm virus spreading via the Internet in ZIP files attached to infected emails. The worm itself is a Windows PE EXE file about 10KB in length, encrypted. In infected messages the attached file is a ZIP archive with the name PROTECT.ZIP where the worm copy ProTecT.exe is stored.
The infected messages have an empty body and the following fields:
From:
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
Attach: PROTECT.ZIP

The worm activates from infected emails only if a user clicks on the attached file. Doing this extracts the EXE file from the ZIP archive, and runs it. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows system directory with the PrTecTor.exe name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
XRF = %SystemDir%PrTecTor.exe

The worm then displays a "fake" message:
PrTecTor

Su Pc < -_NO_- > fue infectado por el W32/Bugbear

ProTecTor sera operativo durante 30dias pasado ese tiempo debera ReGistrar su copia siguiendo las instrucciones
att::staff

[ OK ]

"Regedit" stealth
This worm also copies itself to the Windows directory under the name regedit.exe and makes a backup copy of the original REGEDIT.EXE file under the name m_regedit.exe.
When a user starts REGEDIT the worm copy gets control, deletes the worm's "Run" key from system registry, and then executes the original REGEDIT from the "m_regedit.exe" file. When REGEDIT exits, the worm re-installs itself (including in the registry "Run" key).
As a result the worm hides its regitry "Run" key when the REGEDIT utility is run.
Spreading
To get victim email addresses the worm opens the WAB (Windows Address Book) database and reads emails from there. To send infected messages the worm uses a direct connection to the default SMTP server.
There are several bugs in the email spreading routines, therefore the worm has problems spreading itself to "true" SMTP servers that follow email and transfer standards (RFC standards).
While sending infected emails the worm also creates the following files in the Windows system directory:
m_WAB.XRF - this file contains victim email(s)
m_Base64.xrf - worm's ZIP file in MIME form
m_prgrm.zip - worm's ZIP file

While storing itself to the ZIP archive the worm uses a "stored" compression method (i.e. "do not compress" method).
Payload
Starting from January 1st, 2003 the worm reboots victim machines.
Removal
Run the "m_regedit.exe" file from the Windows directory (this is the original REGEDIT utility).
Delete the worm's registry "Run" key (see above).
Reboot the machine and remove the following files from the Windows system directory:
PrTecTor.exe
m_WAB.XRF
m_Base64.xrf
m_prgrm.zip

Next, go to the Windows directory, delete the "regedit.exe" file and then rename the "m_regedit.exe" to "regedit.exe" (doing this restores the original REGEDIT utility).

Home