Virus Database

TPVO.Stealth.803.a

Description TPVO.Stealth.803.a

This is a harmless memory resident parasitic stealth virus. It hooks INT 21h, and writes itself to the end of COM files that are executed. The virus contains the text string:
- Stealth demo by Dark Slayer of TPVO -

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Netsky.t

Description I-Worm.Netsky.t

This worm spreads via the Internet as an attachment to infected emails.
The worm itself is a Windows PE EXE file of approximately 18KB, packed using UPX and written in Microsoft Visual C++.
Characteristics of infected messages
Message header (chosen at random from the list below)
Approved
Hello
Hi
Important
My Re: Approved
Re: Hello
Re: Hi
Re: Important
Re: My Re: Request
Re: Thanks you!
Re: Your Re: Your document
Re: Your information
Request
Thank you!
Your Your document
Your information
Message body (chosen at random from the texts below)
Approved, here is the document.
For more details see the attached document.
For more information see the attached document.
Hello!
Here is the "all".
Here is the document.
Hi!
I have found the "...".
I have sent the "...".
I have spent much time for the "...".
I have spent much time for your document.
My "..." is attached.
My "...".
Note that I have attached your document.
Please have a look at the "...".
Please have a look at the attached document.
Please notice the attached "...".
Please notice the attached document.
Please read quickly.
Please read the "...".
Please read the attached document.
Please see the "...".
Please, "...".
See the document for details.
Thank you
Thanks
The "..." is attached.
The "...".
The requested "..." is attached!
Your "..." is attached.
Your "...".
Your file is attached to this mail.
Yours sincerely
The worm inserts random characters from the list below between the quotation marks.
abuse list
account
answer
approved document
approved file
archive
bill
concept
contact list
corrected document
description
detailed document
developement
diggest
document
e-mail
excel document
file
final version
homepage
icq number
important document
improved document
improved file
info
information
instructions
letter
list
mail
message
movie document
new document
note
notice
number list
old document
order
personal message
phone number
photo document
picture document
postcard
powerpoint document
presentation document
release
report
requested document
sample
secound document
story
summary
text
textfile
user list
word document
Attachment
A file with a .pif extension and a randomly generated name.
The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.
Installation
When installating, the worm copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"EastAV"="%windir%EastAV.exe"
Mass mailing
The worm searches for files with the extensions listed below:
adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht
shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls
xml


harvests email addresses and sends copies of itself to all addresses found.
The worm uses its own SMTP library to send messages.
Other
The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:
www.cracks.am
www.emule.de
www.freemule.net
www.kazaa.com
www.keygen.us

I-Worm.NetSky.y

Description I-Worm.NetSky.y

This worm spreads via the Internet as a file attached to infected messages. It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in size.
Infected messages
The characteristics of infected messages vary according to domain:
Sender's address:
hukanmikloiuo@yahoo.com
Domain ".tc":
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pif
Domain ".se":
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pif
Domain ".fi":
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pif
Domain ".pl":
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pif
Domain ".no":
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pif
Domain ".pt":
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pif
Domain ".it":
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pif
Domain ".fr":
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pif
Domain ".de":
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pif
Other Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. The worm will then install itself on the system and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to the Windows folder and registers this file in the system registry autorun key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunFirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and then sends copies of itself to these addresses. It creates a file in the Windows directory called fuck_you_bagle.txt, and writes its body to this file. This file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th April on the following servers:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

Home