Virus Database

Trojan.Win32.Coke

Description Trojan.Win32.Coke

When run, this Trojan copies itself to the Windows SYSTEM directory with the name SHLHMP.EXE, then registers this copy in the system registry in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun to execute it upon the next Windows start-up. The Trojan then looks for all files in the directory tree on the disk where Windows is located (excluding Windows directory), and overwrites them with the following text:
This file cracked by CoKeBoTtLe98

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Navidad

Description I-Worm.Navidad

This is an Internet worm that spreads by means of e-mail using MAPI Outlook. The worm itself is a Windows EXE file about 32K in length. It is attached to e-mails with the NAVIDAD.EXE name.
When the worm is activated, it copies itself to the Windows system directory with the WINSVRC.VXD name and registers itself in the system. While registering, the worm uses a false name, WINSVRC.EXE, instead of WINSVRC.VXD ("EXE" instead "VXD"), so the worm's "VXD" copy is not functional at this time.
While registering in the system, the worm modifies two registry keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winsvrc.exe
and
HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winsvrc.exe %1 %*
where %SystemDir% is the Windows system directory name (for example, C:WINDOWSSYSTEM).
The worm also creates an empty key:
HKEY_CURRENT_USERSoftwareNavidad
Because of the "EXE-VXD" bug, the affected system becomes non-functional; not one EXE file can be run because of an invalid "exefileshellopencommand" key, and Windows displays a standard error message:
Windows cannot find WINSVRC.VXD
This application is needed for opening files of the "Application" type.
The REGEDIT.EXE utility (to recover the registry) cannot be executed too. On affected machines, the REGEDIT.EXE should be renamed to REGEDIT.COM (with the help of Exlorer, for example), and then run. The HKEY_CLASSES_ROOTexefileshellopencommand then should be set to:
"%1" %*
When run, the worm also displays the message box:

The worm also creates a "blue-eye" icon in the system tray.

When clicking on the icon, the worm displays the message:

and then one more message:

MORE WORM VARIANTS
There are more "Navidad" versions known. They are just patched original version: the code (program) is the same, but text strings are replaced with new ones:
"Emanuel" version
attached file name is EMANUEL.EXE
it copies itself to Windows system directory with WINTASK.EXE name
registers itself in the registry by keys:
SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%wintask.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%wintask.exe %1 %*
creates an empty key
HKEY_CURRENT_USERSoftwareEmanuel
When run it displays message box:

"XMas" version
attached file name is XXXXMas.exe
it copies itself to Windows system directory with WINFILE.VXD name
registers itself in the registry by keys:

SOFTWAREMicrosoftWindowsCurrentVersionRun
Win32BaseServiceMOD = %SystemDir%winfile.exe

HKEY_CLASSES_ROOTexefileshellopencommand
{Default} = %SystemDir%winfile.exe %1 %*
creates an empty key HKEY_CURRENT_USERSoftwareXxxxmas
When run it displays message box:

I-Worm.NetSky.aa

Description I-Worm.NetSky.aa

This worm spreads via the Internet as an attachment to infected emails.
It possesses a backdoor function, and is capable of conducting DoS attacks on Internet sites.
The worm itself is a PE EXE file of approximately 20KB, packed using UPX.
Installation
The worm copies itself to the Windows directory under the name Jammer2nd.exe, and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Jammer2nd"="%windir%jammer2nd.exe"
It also creates files named PK_ZIP_ALG.LOG and PK_ZIP.LOG in the Windows directory.
These files are copies of the worm in UUE format and in a ZIP archive.
The worm creates the mutex (S)(k)(y)(N)(e)(t) to flag its presence in the system.
Propagation via email
The worm searches all accessible network disks for files with the following extensions: adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht
shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls


and harvests email addresses from them, sending a copy of itself to all addresses found. The worm uses its own SMTP library to send messages, and attempts to establish a connection to the server receiving the infected messages.
Characteristics of infected messages
Infected messages are generated randomly from the following:
Sender's address
Chosen at random from addresses found on the victim machine.
Message header (chosen at random from the list below)
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information
Attachment name (chosen at random from the list below)
Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip
Attached archive files will have a name from the list below
Bill.txt.exe
Data.txt.exe
Details.txt.exe
Important.txt.exe
Informations.txt.exe
Notice.txt.exe
Part-2.txt.exe
Textfile.txt.exe
Other
The worm opens TCP port 665 on the victim machine to receive random files and execute them.
Depending on the system clock settings, the worm may conduct DoS attacks on the following sites:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

Home