Virus Database

VD.1664

Description VD.1664

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .EXE files that are executed. The virus has a bug and corrupts the files of small size while infecting them. These files halt the system. The virus puts the ID-word "VD" to the memory at the address 0000:0467.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Swen

Description I-Worm.Swen

Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file attachment), the Kazaa file sharing network, IRC channels, and open network resources.
Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.
The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.
You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.
The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.


Installation
When first launched, the worm may display the "Microsoft Internet Update Pack" message box. Then it imitates patch installation:



The worm then copies itself under one of the names below into the Windows directory. The name may consist of several parts.
First possibility:
Kazaa Lite
KaZaA media desktop
KaZaA
WinRar
WinZip
Winamp
Mirc
Download Accelerator
GetRight FTP
Windows Media Player

Key generator
Hack
Hacked
Warez
Upload
Installer
Upload
Installer
Second possibility:
Bugbear
Yaha
Gibe
Sircam
Sobig
Klez
Remover
RemovalTool
Cleaner
Fixtool
Third possibility:
Aol Hacker
Yahoo Hacker
Hotmail Hacker
10.000 Serials
Jenna Jameson
Hardporn
Sex
Xbox Emulator
Emulator Ps2
Xp Update
Xxx Video
Sick Joke
Xxx Pictures
My Naked Sister
Hallucinogenic Screensaver
Cooking With Cannabis
Magic Mushrooms Growing
Virus Generator
The new file is registered in the Windows system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
random sequence= %windir%file name autorun
An identification key is created, which contains the worms' configuration settings:
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer
random sequence
The worm then creates a file named after the infected host machine with a BAT extension in the Windows folder. The file contains following the commands:
@ECHO OFF
IF NOT "%1"=="" .exe %1
Then the worm changes the key values in HKLMSoftwareClasses in such a way so as to hook onto execution every time the BAT, COM, EXE, PIF, REG and SCR file types are launched.
HKCRatfileshellopencommand
Default = %windir% "%1" %*

HKCRcomfileshellopencommand
Default = %windir% "%1" %*

HKEY_CLASSES_ROOTexefileshellopencommand
Default = %windir% "%1" %*

HKCRpiffileshellopencommand
Default = %windir% "%1" %*

HKCR egfileshellopencommand
Default = %windir% showerror

HKCRscrfileshellconfigcommand
Default = %windir% "%1"

HKCRscrfileshellopencommand
Default = %windir% "%1" /S
Disables user capability to edit the system registry:
HKCU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools = 01 00 00 00
When first launched, the worm accesses the following remote website:
http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
This counter indicates the number of infected computers.
When attempting to execute a new copy of the worm on the already infected machine the worm displays the following message:

The worm scans all disks for files with extensions DBX, MDX, EML, WAB and also that contain either HT or ASP in the extension. Swem then extracts any email addresses that it can find and saves them in a file named germs0.dbv.
The worm attempts to connect to one of 350 servers identified in the file swen1.dat, in order to send infected emails. If connection is impossible the worm then displays the following error message about a MAPI 32 Exception:

and requests a correct email address, as well as a correct SMTP server.


Propagation via Email
The worm mails itself to all available addresses using a direct connection to an SMTP server. The infected emails are in HTML format and contain an attachment (the actual worm).

Sender name (consists of several parts):
Microsoft
MS

(may not be used)
Corporation

(may not be used)
Program
Internet
Network

(always included with part 3)
Security

(may not be used)
Division
Section
Department
Center

(may not be used)
Public
Technical
Customer

(may not be used)
Bulletin
Services
Assistance
Support
For example:
Microsoft Internet Security Section
MS Technical Assistance
Sender address (consists of 2 parts):
before "@": random sequence (example: tuevprkpevcg-gxwi@, dwffa@);
after "@": consists of 2 parts (though only one may be used):
news
newsletter
bulletin
confidence
advisor
updates
technet
support

msdn
microsoft
ms
msn
For example: "newsletter.microsoft" or simply "support". If two parts are used, then they are separated by ".", or "_".
After the "." the domain is either "com" or "net".
Subject (consists of various parts):
Latest
New
Last
Newest
Current

Net
Network
Microsoft
Internet

Security
Critical

Upgrade
Pack
Update
Patch
Body:
MS Client (Consumer,Partner,User - chosen at random)
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to protect your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run code on your system.
This update includes the functionality =
of all previously released patches.

System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later

Recommendation: Customers should install the patch =
at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Signature:
Microsoft Product Support Services and Knowledge Base articles =
can be found on the Microsoft Technical Support web site.
http://support.microsoft.com/
For security-related information about Microsoft products, please =
visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/
Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable =
to respond to any replies.
----------------------------------------------
The names of the actual companies and products mentioned =
herein are the trademarks of their respective owners.
Attachment name:
patch[random number].exe
install[random number].exe
q[random number].exe
update[random number].exe
The actual content of the body may be less complicated, depending on various circumstances.
The Subject may contain:
Letter
Advise
Message
Announcement
Report
Notice
Bug
Error
Abort
Failed
User Unknown
The body may contain:
Hi!
This is the qmail program
Message from [random value]
I'm sorry
I'm sorry to have to inform that
I'm afraid
I'm afraid I wasn't able to deliver your message to the following addresses
the message returned below could not be delivered
I wasn't able to deliver your message
to one or more destinations
In some cases the worm may send copies of itself in archived form - ZIP or RAR.


Propagation via Kazaa
Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with random names making several copies of itself with random names as well.
This folder is identified in the Windows system registry as Local Content for Kazaa file-sharing system.
HKCUSoftwareKazaaLocalContent
dir99 = 012345:%Windir%\%temp%folder name
As a result, the new files created by Swen become available to other Kazaa network users.


Propagation via IRC channels
The worm scans for installed mIRC client. If it's detected Swen then modifies the script.ini file by adding its propagation procedures. Whereupon the scrip.ini file sends the infected file from the Windows directory to all users that connect to the now-infected IRC channel.


Propagation via LAN
The worm scans all available drives. If it finds a network drive it copies itself there in the following folders under a random name:
windowsall usersstart menuprogramsstartup
windowsstart menuprogramsstartup
winmeall usersstart menuprogramsstartup
winmestart menuprogramsstartup
win95all usersstart menuprogramsstartup
win95start menuprogramsstartup
win98all usersstart menuprogramsstartup
win98start menuprogramsstartup
document and settingsall usersstart menuprogramsstartup
document and settingsdefault userstart menuprogramsstartup
document and settingsadministratorstart menuprogramsstartup
winntprofilesall usersstart menuprogramsstartup
winntprofilesdefault userstart menuprogramsstartup
winntprofilesadministratorstart menuprogramsstartup


Other
The worm attempts to block the launch and work of various anti-virus software and firewalls:
_avp
ackwin32
anti-trojan
aplica32
apvxdwin
autodown
avconsol
ave32
avgcc32
avgctrl
avgw
avkserv
avnt
avp
avsched32
avwin95
avwupd32
blackd
blackice
bootwarn
ccapp
ccshtdwn
cfiadmin
cfiaudit
cfind
cfinet
claw95
dv95
ecengine
efinet32
esafe
espwatch
f-agnt95
findviru
fprot
f-prot
fprot95
f-prot95
fp-win
frw
f-stopw
gibe
iamapp
iamserv
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
iface
iomon98
jedi
kpfw32
lockdown2000
lookout
luall
moolive
mpftray
msconfig
nai_vs_stat
navapw32
navlu32
navnt
navsched
navw
nisum
nmain
normist
nupdate
nupgrade
nvc95
outpost
padmin
pavcl
pavsched
pavw
pcciomon
pccmain
pccwin98
pcfwallicon
persfw
pop3trap
pview
rav
regedit
rescue
safeweb
serv95
sphinx
sweep
tca
tds2
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vscan
vsecomr
vshwin32
vsstat
webtrap
wfindv32
zapro
zonealarm

When these are launched Swen displays the following fake error mesage:

I-Worm.SysClock

Description I-Worm.SysClock

This is an Internet worm (virus of the worm type) spreading via e-mails, IRC channels, infecting files on local computers and spreading itself to a local network. It also steals system passwords (PWL files) from infected computers, as well as has many harmless and dangerous payload routines. The worm itself is about 80Kb in size Win32 (PE EXE - Portable Executable) program written in Delphi, the "pure" worm code occupies about 20Kb and the rest is Delphi runtime library code, data, and the program's miscellaneous information.
The worm arrives as an e-mail with a fake message (see below) and attached PKZIP.EXE file that is the worm program itself. When the worm is executed, it installs itself into the system, infects files on a local drive, infects available logical drives, infects installed mIRC client, and sends infected e-mails by using the Eudora mail system.
Installing into the system
To install itself into the system, the worm copies itself with the KERNEL.EXE name into the Windows directory (on Win95/98 machines) or to the Windows system directory (on WinNT), and registers itself in the system registry auto-run key:
SOFTWAREMicrosoftWindowsCurrentVersionRun SysClock=kernel.exe

The worm also has an additional installation routine that installs the worm copies to all available drives. This routine is described below.
Infecting a computer
The worm is able to infect about 40 files on a computer, and infects no more than four files on each run. The worm infects files in the Windows directory:
NOTEPAD.EXE, CALC.EXE, DEFRAG.EXE, SCANDSKW.EXE, WRITE.EXE, WINIPCFG.EXE,
SCANREGW.EXE, DRWTSN32.EXE, NTBACKUP.EXE, REGEDT32.EXE, TASKMGR.EXE,
USRMGR.EXE

The worm then infects programs that are associated with registry keys:
SOFTWAREClassesAccess.Application.8 shellopencommand
SOFTWAREClassesAudioCD shellplaycommand
SOFTWAREClassesAVIFile shellplaycommand
SOFTWAREClassescdafile shellplaycommand
SOFTWAREClassesChat shellopencommand
SOFTWAREClientsNewsForte Agent shellopencommand
SOFTWAREClassesExcel.Sheet.8 shellopencommand
SOFTWAREClassesftp shellopencommand
SOFTWAREClassesgiffile shellopencommand
SOFTWAREClasseshlpfile shellopencommand
SOFTWAREClassesEudora DefaultIcon
SOFTWAREClassesEudora shellopencommand
SOFTWAREClassesMicrosoft Internet Mail Message shellopencommand
SOFTWAREClassesMicrosoft Internet News Message shellopencommand
SOFTWAREClassesMOVFile shellopencommand
SOFTWAREClassesMsi.Package shellopencommand
SOFTWAREClassespcANYWHERE32 shellopencommand
SOFTWAREClassesQuickView shellopencommand
SOFTWAREClassesRealPlayer.RAM.6 shellopencommand
SOFTWAREClassesWinamp.File shellopencommand
SOFTWAREClassesUnfinished Download shellopencommand
SOFTWAREClassesUltraEdit-32 Document shellopencommand
SOFTWAREClassesWhiteboard shellopencommand
SOFTWAREClassesvcard_wab_auto_file shellopencommand
SOFTWAREUlead SystemsUlead PhotoImpact4.0PathIeEdit.exe
SOFTWAREKasperskyLabComponents102EXEName

While infecting each file, the worm uses the companion infection method: it renames a victim file with eight-bytes randomly named and .EXE extension (for example: GTGUQPPA.EXE, XOHSKVXQ.EXE, etc.) and places itself with the name of original file. As a result, the worm copy will be executed each time a user or system runs the infected file.
To return control back to the host file, the worm stores the file names in the registry key HKCUAppEventsSchemesApps.DefaultSystemStartWindows, for example:
C:WIN95calc.exe "gtguqppa.exe"
C:WIN95mplayer.exe "xohskvxq.exe"
e.t.c.

This information can be used to disinfect the computer.
To detect already infected files, the worm uses the FileVersion that is stored in PE EXE file resources. In infected files, this variable is set to "1.3.5.7".
Infecting local and network drives
The worm also copies itself and "registers" to available logical drives: removable, fixed and network. While infecting removable files, the worm looks for the AUTOEXEC.BAT file on them, adds an instruction to run the PKZIP.EXE file upon loading from the drive, and copies itself to the drive with the PKZIP.EXE file name.
Upon infecting hard drives, the worm looks for the PKZIP.EXE file in the root directories on these drives, and copies itself with this name if such a file does not exits there. To run this file, the worm creates the AUTORUN.INF file on the drive and writes a block of instructions to there to run the PKZIP.EXE file (worm copy) upon the next Windows star-tup:
[autorun]
open=pkzip.exe

While infecting a remote drive, the worm first of all checks this drive for written permission. To do this, the worm creates the TEMP9385.058 file in there, and deletes it. In case no errors occurred during operation, the worm continues spreading to the drive. It copies itself to there with the PKZIP.EXE name and creates the AUTORUN.INF file in the same way as while affecting fixed drives on local computer. In addition, the worm looks for Windows and WinNT directories on the drive and registers its PKZIP.EXE copy in the WIN.INI file in [windows] "run" instruction. This operation also causes worm-copy execution on the next Windows start-up.
While infecting network drives, the worm also destroys several executable files there, if they exist, and overwrites them with its copy:
Acrobat3ReaderAcrord32.exe
Eudora95Eudora.exe
Program FilesMicrosoft OfficeOfficeOutlook.exe
Program FilesInternet ExplorerIexplore.exe
Program FilesWinZipWinZip32.exe
Program FilesMicrosoft OfficeOfficeWinWord.exe
Program FilesNetscapeProgramNetscape.exe

Infecting mIRC client and spreading via IRC channels
This routine is executed depending on the system time, not each time the infected files run. It looks for mIRC client installed in the system by accessing mIRC script file in the directories:
C:MIRCSCRIPT.INI
C:MIRC32SCRIPT.INI
C:Program FilesMIRCSCRIPT.INI
C:Program FilesMIRC32SCRIPT.INI

If no such files exist, the worm leaves infection routine. Otherwise it overwrite the SCRIPT.INI file with instruction that sends the C:PKZIP.EXE file to everybody entering the affected channel.
Sending infected emails
This routine is executed depending on the system time, as well as mIRC infection routine. First of all the worm gets the Eudora directory name by accessing the registry key: SoftwareQualcommEudoraCommandLine. The worm then scans the Eudora outgoing mails database (the OUT.MBX files), gets addresses from there and stores them in the list the infected message will be sent to. It seems that the worm also adds the "support@microsoft.com" email address to this list.
The worm then prepares the C:USER.MSG file that will be used then to initialize Eudora sendmail system. The worm writes to there all necessary data to send the message with infected attach:
To: addresses list from OUT.MBX file, plus "support@microsoft.com"
Subject: here's what u requested
X-Attachments: c:pkzip.exe;
Message body:
You had requested this a while back, so here you are.
enjoy.

The worm then opens the C:USER.MSG file by a Windows function that activates Eudora sendmail.
Stealing password files
While installing into the system and infecting files the worm also looks for Windows password files (.PWL files), reads passwords data from there and attaches to infected file body.
The worm does not send the passwords to any Internet address, but just keeps them attached to the infected files. As a result the stolen passwords leave the computer only in case the worm spreads its copies to Internet or IRC channels.
Payload routines
The worm has many payload routines that are activated depending on the system date and time. The worm by these routines:
- Halts the computer by launching unlimited number of threads.
- Overwrites the .DEFAULTSoftwareMicrosoftRegEdt32Settings registry key with "AutoRefresh=0" value.
- Changes the Internet Explorer settings. By rewriting the SOFTWAREMicrosoftInternet ExplorerMain registry keys the worms sets the "Start Page" to "http://www.whitehouse.com/" and "Search Page" to "http://www.bigboobies.com", and disables Internet cache updating.
By rewriting the SOFTWAREMicrosoftInternet ExplorerSearchUrl and SOFTWAREMicrosoftInternet ExplorerTypedURLs registry keys the worm sets the "http://www.gayextreme.com/queer/handle-it.html" Web page to first position of recently used Web pages; sets "SearchURL" to "http://www.fetishrealm.com/fatgirls/pic3.htm";
- By rewriting the SoftwareMirabilisICQBookmarks registry key sets:
"Main Page" to "http://www.biggfantac.com/terra/index.html",
"Customer Support" to "http://www.pornoparty.net"
"Menu" to "http://www.gayextreme.com/queer/handle-it.html"

- Deletes all keys from
SOFTWAREMicrosoftWindowsCurrentVersionUninstall or
SOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones
- Sets Windows settings:
RegisteredOwner = "Idiot with a Virus"
RegisteredOrganization and ProductID = "Registry Rage Virus L1999"

- Creates C:POEM1.TXT or C:POEM2.TXT files, writes one of the texts to there (see below), and opens them with NOTEPAD.EXE. The texts looks as follows:
To earn for the body and the mind whatever adheres and goes forward
and is not dropt by death;
I will effuse egotism and show it underlying all, and I will be the
bard of personality,
And I will show of male and female that either is but the equal of
the other,
And I will show that there is no imperfection in the present, and
can be none in the future,
And I will show that whatever happens to anybody it may be turn'd to
beautiful results,
And I will show that nothing can happen more beautiful than death all
- Walt Whitman
Nothing divine dies. All good is eternally reproductive. The beauty of
nature reforms itself in the mind, and not for barren contemplation,
but for new creation.
All men are in some degree impressed by the face of the world; some men
even to delight. This love of beauty is Taste. Others have the same love
in such excess, that, not content with admiring, they seek to embody
it in new forms. The creation of beauty is Art.
- Ralph Waldo Emerson

The worm's payload routines also erase or modify miscellaneous Windows settings, minimize Backup and ScanDisk settings, erase Registry backup, e.t.c.

Home