Virus Database

Trojan-Downloader.JS.Miner

Description Trojan-Downloader.JS.Miner
This Trojan downloads other malicious programs to the victim machine. It is written in Java Script, and is between 1 - 3KB in size. The program code may be encoded using Jscript.Encode. Payload The Trojan downloads and launches other Trojans on the victim machine without the user's knowledge orall

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Nevezed (aka Never)

Description I-Worm.Nevezed (aka Never)

Nevezed is a worm virus spreading via Microsoft Outlook. The worm itself is a Java Script file about 4KB in size and written in Java.
Installation
During installation the worm copies itself to the Windows system StartUp directory under the name "StartUp.js" and the Windows System directory under the name "CmdWsh32.js". It them registers this later file in the system registry as a java-class file. The worm also creates a backup copy of itself in the root directory of other drives.
Spreading: Email
To send infected messages the worm uses MS Outlook to send messages to all the addresses found in a victim's Outlook address book.
Infected messages sent by the worm have various subject titles. Possible subject titles could be:
Hello name
Hey name
Fwd: Hey You!
Fwd: Check this!
Fwd: Just Look
Fwd: Take a look!
Fwd: Loop at this!
Fwd: Check this out!
Fwd: It's Free!
Fwd: Look!
Fwd: Free Mp3s!
Fwd: Here you go!
Fwd: Have a look!
Look name!
Fwd: Read This!

Message body text is as follows:
Hello!
Check out this great list of mp3 sites that I included in the attachments! I can get any Mp3 file that I want from these sites, and its free! And please don't be greedy! forward this email to all the people that you consider friends, and Let them benefit from these Mp3 sites aswell! Enjoy !
Infected messages contain one of following attachments:
Free_Mp3s.js
Fwd_Mp3s.js
Mp3_Sites.js
Mp3_Web.js
Mp3_List.js
Mp3_Pages.js
Web_Mp3s.js
Mp3-Sites.js
Fwd-Mp3s.js
Mp3-Fwd.js
Fwd-Sites.js

I-Worm.NewApt.a

Description I-Worm.NewApt.a

This is a virus-worm that spreads via the Internet. It was discovered "in-the-wild" in the middle of December 1999. The worm itself is a Windows EXE file about 70Kb in length. It is transferred via the net in e-mail messages with an infected attachment. The name of the attached worm copy is randomly selected by the worm while being sent from 26 variants:

panther.exe farter.exe
gadget.exe boss.exe
irngiant.exe monica.exe
casper.exe saddam.exe
fborfw.exe party.exe
cupid2.exe hog.exe
party.exe goal1.exe
bboy.exe pirate.exe
baby.exe video.exe
goal.exe copier.exe
theobbq.exe cooler1.exe
panthr.exe cooler3.exe
chestburst.exe g-zilla.exe

The message subject is:
"Just for your eyes".
There are also other variants of the subject possible: in some cases, the worm puts "Re:" in the subject and adds some text to there (answers messages found in mail databases?).
The message text contains lines in plain text format:
he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff
as well as text in HTML format:
Hypercool Happy New Year 2000 funny programs and animationsall
We attached our recent animation from this site in our mail! Check it out!
To send itself to the Internet, the worm uses an SMTP connection that means the worm's spreading routines do not depend on the mailing software installed on the system.
When an infected message is received and the attached EXE file is executed, the worm gets control and installs itself into the system. It copies itself with its current name (as the worm arrived in the e-mail) to the Windows directory and registers this copy in the system registry in the "Run=" section:
SOFTWAREMicrosoftWindowsCurrentVersionRun "tpawen"
= "C:WINPANTHER.EXE /x"
Note that the worm name (here it is "PANTHER") is not constant and can be one of the names listed above.
To hide its activity, the worm displays a fake message:
The dinamic link library giface.dll could not be found in specified path:
C:WINDOWSSYSTEM;C:WINDOWS;C:WINDOWSCOMMAND;
where the second line is an infected-machine Windows system directory name, plus "Path" and "SystemRoot" system variable strings.
The virus also creates and initializes for its use registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows
itn =
cat =
cd =
lk =
lms =
mda =
mde =
The worm then registers itself as a service process (not visible in the task list), and stays as a hidden application. The worm's main routines (there are two working in the background) then periodically scan drives for Internet-related files (MS Mail, Outlook Express, Netscape Navigator and other files), open these files, get Internet addresses from there and send worm copies to these addresses.
The worm's life-time
Starting from June 12th 2000, the worm removes the "Run=" string from the system registry and does not install itself into the system. So, this worm's lifetime is limited by this date. Anyway, the worm copies are left in the system and they may be activated if system date is set to wrong date.
Trigger routines
The worm's main trigger routine activates starting from 00:00 December 26th according the system date and time. Every 3 seconds, the worm tries to connect to a remote computer somewhere at Microsoft - this is a standard DoS attack (Denial of Service).
Independent of the system date, but depending on some other conditions, the worm calls a phone number randomly selected from a list. These numbers seem to belong to some (one) company.
More versions
At the end of December 1999, more versions of this worm were found "in-the-wild". The differences are (original worm version is also included):
DoS attach on some Microsoft machine on:
"NewApt.a" - December 26 1999
"NewApt.b,c" - February 2 2000
Removing "tpawen" key from the registry and deactivation:
"NewApt.a" - June 12 2000
"NewApt.b.c" - July 12 2000

Home