Virus Database

Vendetta

Description Vendetta

It's a not dangerous memory resident boot virus. It hooks INT 9, 13h and writes itself into MBR of hard drive and boot sectors of floppy disks. It contains a bug and works on PC-XT only. Depending on its internal counter is corrupts keyboard queue. It contains the internal text string:
VENDETTA

Check other viruses! Be aware! Use Antiviral Software

I-worm.Mydoom.ab

Description I-worm.Mydoom.ab

Mydoom.ab is another Mydoom.a variant. It spreads as an attachment in an infected email. The worm send copies of itself to all addresses in the local address book.
Mydoom.ab is a Windows PE EXE file and is about 32 KB - packed by UPX.
Installation
Upon installation Mydoom.ab creates a file named lsasrv.exe in the Windows system registry and creates the following registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"lsass" = "%System%lsasrv.exe"
The worm also creates a file named version.ini in the Windows system folder.
Other
Mydoom.ab attempts to block the work of a number of firewalls.

I-Worm.Mydoom.b

Description I-Worm.Mydoom.b
Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.
Part of the body of the worm is encrypted.
The unpacked file contains the following text:
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:
During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System%explorer.exe"
The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"Apartment" = "%SysDir%ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Body in the temporary directory (usually in %windir% emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.
Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com


Mailing letters
Emails are sent in the same way that Mydoom.a uses except for the following changes.
The body text is chosen at random from the following:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.
Propagation via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions:
bat
exe
scr
pif

Home