Virus Database

Trojan.Win32.Malantern.a

Description Trojan.Win32.Malantern.a

This is a humerous Win32 Trojan, about 24Kb in length, and is written in Visual Basic. It was received as an IEpatch.EXE Win32 executable file.
When started, it removes the "C:WINDOWSTEMP" directory, then creates new directories:
"C:WINDOWSMagic Latern"
"C:WINDOWSFBI software"
"C:WINDOWSJohn ASScroft"
"C:WINDOWSBill Gatez"
"C:WINDOWSDesktop666"
"C:WINDOWSDesktopBin Laden"
"C:WINDOWSDesktop666 WTC"
"C:WINDOWSDesktopMagic Fuckers"
"C:WINDOWSDesktopAgentlinux"
"C:WINDOWSDesktopiFuckedYourWife"
"C:WINDOWSDesktopBiohazard Virii"

Then the Trojan deletes all *.SYS files in the "C:WINDOWSSYSTEM32DRIVERS" directory, and then displays the following message box:

Finally the Trojan displays the following screen:

When the "Who isall" button is pressed, the Trojan displays several message boxes with texts in them:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Naked

Description I-Worm.Naked

This is an Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. The worm itself is a Win32 application about 70K in length, written in VisualBasic.
When run (if a user clicks on an attached infected file), the worm sends its copies by e-mail, and performs the following destructive action: the worm deletes all .INI, .LOG, .DLL, .EXE, .COM, .BMP in Windows directory and .INI, .LOG, .DLL, .EXE, .BMP in Windows system directory.
The worm does not installs itself into the system and does not touch system registry (i.e. does not registers itself in there). This is "direct action" worm that performs its action only once being activated from infected message. The worm copies itself to Windows TEMP directory, but does not use that copy.
When run, the worm displays a fake window with a "Macromedia Flash Player" picture in it, and it displays a "Loading", "Loadingall", "Loading..." message in an endless loop.

The menus in the window do not summon any action when they are selected, except the "Help" menu. Upon selecting it, the "About Macromedia Flash Player 5..." item appears, when that item is selected, the worm displays the message box:
Flash
You're are now FUCKED! (C) 2001 by BGK (Bill Gates Killer)
[ OK ]
The worm sends itself as an e-mail message with an attached EXE file that is the worm itself. The message consists of:
Attached file name: NakedWife.exe
The Subject: Fw: Naked Wife
Message body:

My wife never look like that! ;-)

Best Regards,
[CurrentUser]
where [CurrentUser] is the name of the sender.
Being activated by a user (by double clicking on an attached file), the worm opens MS Outlook, gains access to the Address Book, obtains all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.

I-Worm.Naver

Description I-Worm.Naver

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 50K of length. The worm is written in Visual Basic language.
When the worm is run it displays the dialog box:
Windows Secirity Upgrade

This is an upgrade for Microsoft Windows 9x/Me/NT/2000
to solve some protocol TCP/IP problems and for SSL
(Secure Sockets Layer) secure system exploration.

Do you want to install the upgrade now?

[ OK ] [ Cancel ]
On "OK" the worm displays the message:
Upgrade
Upgrade completed, thank you
Then, as well as on "Cancel" click, the worm installs itself to the system. It copies itself to Windows directory with WINSYS.EXE name and to Windows system directory with the WINSYS.EXE name. The latter file is then registered in Registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun WLWin = %windir%WINSYS.EXE
The worm also creates additional registry key that indacates that the system is already infected:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion WLKey = 1
The worm also creates NAVER.TXT file in Windows system directory and writes to there a text that is then used in infected messages body (see below).
The worm then connects to MS Outlook address book, get email addresses from there and sends itself attached to emails:
Subject: Re: Windows Upgrade
Body:
Use this patch!!, goodbye

>
> From: "Micosoft upgrades"
> To: "Windows users"
> Subject: Upgrade
> Date: Mon, 11 Jun 2001 11:02:34 +0200
>
> Microsoft programs bugs that are costantly found, are immediately often solved by little
> patches, that are regulary pubblished on the official site, but despite this only few
> users use this patches. Because of this a lot of users consider Microsoft systems
> unsecure, you can solve all the problems at base, upgrading costantly the system,
> because of this Microsoftî decided to exploit FAQ mail to reach the majority of users.
> By FAQ mail you have recived it, that contain the first upgrade, naver.exe file
> (Upgrade 11 Jun 2001), an upgrade that is used for increase security of Windows system
> protocol TCP/IP problems and for SSL (Secure Sockets Layer) secure system exploration.
> For a correct operation copy naver.exe in c: and run it
>
> Foward this mail at your friends with the relative attachment or if you don't want to
> receive any other upgrades send an empty mail to deletelist@microsoft.com with subject
> "Delete from database".
>
> We thank in advance all the users that will agree the project.
>
> Answerable Microsoftî Upgrades John Milton
> http://www.microsoft.com/security/
>

Attachment: NAVER.EXE
In some cases (depending on current date?) the worm removes its registry keys, deletes its files and displays the message:
VIRUS !!!!!!!!!!!
Virus Eclisse has infected
Don't try to close the counter before zero otherwise it will be restarted,
the system will be released only when the countdown counts zero.

Now you are able to use your computer, this Virus automatically delete
itself, byez. ( Translation by M_O_R_B_O )

Home