Virus Database

Victor.2442

Description Victor.2442

This is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files. At 9am, 11am, 1pm and 3pm by the system timer it deletes the randomly selected files. The virus contains the texts:
*.*
COMEXE
Victor V1.0 The Incredible High Performance Virus
Enhanced versions available soon.
This program was imported from USSR. Thanks to Ivan.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Zafi.b

Description I-Worm.Zafi.b

This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.
Installation
Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.
The worm registers this file as an entry in the system registry to be run every time the system is started:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"_Hazafibb"="%system%[file name]"
The worm creates the mutex _Hazafibb to flag its presence in the system.
This is to prevent multiple copies of the worm being run at the same time
It stops the following processes and deletes the files from disk:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
Propagation via email
The worm harvests email addresses from files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
It does not send messages to addresses which contain text from the list below:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
There is a range of text used in infected messages. The text is chosen according to the recipient's domain name.
Domain .hu
Sender:
Anita
Message header:
Ingyen SMS!
Message body:
------------------------ hirdetÝs -----------------------------

A sikeres 777sms.hu Ýs az axelero.hu tÓmogatÓsÓval jra
indul az ingyenes sms k?ld? szolgÓltatÓs! Jelenleg ugyan
korlÓtozott szÓmban, napi 20 ingyen smst lehet felhasznÓlni.
K?ldj te is SMST! NehÓny kattintÓs Ýs a mellÝkelt regisztrÓci?s
lap kit?ltÝse utÓn azonnal igÝnybevehet?! B?vebb informÓci?t
a www.777sms.hu oldalon talÓlsz, de siess, mert az els? ezer
felhasznÓl? k?z?tt ÝrtÝkes nyeremÝnyeket sorsolunk ki!

------------------------ axelero.hu ---------------------------
Attachment name:
regiszt.php?3124freesms.index777.pif
Domain .sp
Sender:
Claudia
Message header:
Importante!
Message body:
Informacion importante que debes conocer, -
Attachment name:
link.informacion.phpV23.text.message.pif
Domain .ru
Sender:
Katya
Message header:
Katya
Message body:
DAúADAOIUå OEIEøIEãU, ÐÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ, ÁÎÁÌØÎÁÑ ÍÁÓÔÕdÂÁÃÉÑ,
dÕËÁ × ÁÎÕÓÅ É ×ÓÅ ÉÚ×ÅÓÔÎÙÅ ÐÏÌÏ×ÙÅ ÉÚ×dÁÝÅÎÉÑ.
IÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ dÁÚ×dÁÔÎÙÅ oËÏÌØÎÉÃÙall
Attachment name:
view.link.index.image.phpV23.sexHdg21.pif
Domain .dk
Sender:
Eva
Message header:
E-Kort!
Message body:
Mit hjerte banker for dig!
Attachment name:
link.ekort.index.phpV7ab4.kort.pif
Domain .ro
Sender:
Marica
Message header:
Ecard!
Message body:
De cand te-am cunoscut inima mea are un nou ritm!
Attachment name:
link.showcard.index.phpAv23.ritm.pif
Domain .se
Sender:
Anna
Message header:
E-vykort!
Message body:
Till min Alskade...
Attachment name:
link.vykort.showcard.index.phpBn23.pif
Domain .no
Sender:
Erica
Message header:
E-Postkort!
Message body:
Vakre roser jeg sammenligner med deg...
Attachment name:
link.postkort.showcard.index.phpAe67.pif
Domain .fi
Sender:
Katarina
Message header:
E-postikorti!
Message body:
Iloista kesaa!
Attachment name:
link.postikorti.showcard.index.phpGz42.pif
Domain .lt
Sender:
Magdolina
Message header:
Atviruka!
Message body:
Linksmo gimtadieno!
Attachment name:
link.atviruka.showcard.index.phpGz42.pif
Domain .pl
Sender:
Beate
Message header:
E-Kartki!
Message body:
W Dniu imienin...
Attachment name:
link.kartki.showcard.index.phpVg42.pif
Domain .pt
Sender:
Eva
Message header:
Cartoe Virtuais!
Message body:
Te amo...
Attachment name:
link.cartoe.viewcard.index.phpYj39.pif
Domain .de
Sender:
Alice
Message header:
Flashcard fuer Dich!
Message body:
Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr...
Attachment name:
link.flashcard.de.viewcard34.php.2672aB.pif
Domain .nl
Sender:
Eva
Message header:
Er staat een eCard voor u klaar!
Message body:
Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Attachment name:
postkaarten.nl.link.viewcard.index.phpG4a62.pif
Domain .cz
Sender:
Hanka
Message header:
Elektronicka pohlednice!
Message body:
Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz


Attachment name:
link.seznam.cz.pohlednice.index.php2Avf3.pif
Domain .fr
Sender:
Claudine
Message header:
E-carte!
Message body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Attachment name:
link.zdnet.fr.ecarte.index.php34b31.pif
Domain .it
Sender:
Francesca
Message header:
Ti e stata inviata una Cartolina Virtuale!
Message body:
Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment name:
link.cartoline.it.viewcard.index.4g345a.pif
Domain .mx
1.
Sender:
Jennifer
Message header:
You`ve got 1 VoiceMessage!
Message body:
Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment name:
link.voicemessage.com.listen.index.php1Ab2c.pif
2.
Sender:
Anita
Message header:
Soxor Csok!
Message body:
Szia!

Aranyos vagy, j? volt dumcsizni veled a neten!
RemÝlem tetszem, Ýs szeretnÝm ha te is k?ldenÝl kÝpet
magadr?l, addig is cs?k:
Attachment name:
anita.image043.jpg.pif
Domain .at
1.
Sender:
Anita
Message header:
Tessek mosolyogni!!!
Message body:
Ha ez a kÝp sem tud felviditani, akkor feladom!

Sok puszi:
Attachment name:
meztelen csajok fociznak.flash.jpg.pif
2.
Sender:
Jennifer
Message header:
Don`t worry, be happy!
Message body:
Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye - Bye:
Attachment name:
www.ecard.com.funny.picture.index.nude.php356.pif
For all other domains, the message will be as follows:
Sender:
David
Message header:
Check this out kid!!!
Message body:
Send me back bro, when you`ll be done...(if you know what i mean...)

See ya,
Attachment name:
jennifer the wild girl xxx07.jpg.pif
Propagation via local and file-sharing networks
The worm copies itself to all folders where the folder name contains the words:
share
upload
The name of the worm file will be chosen from the following list:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
Other
It creates the file sys.txt in the root catalogue of the C: disk.
It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.
It also attempts to conduct DoS attacks on the following sites:
www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu

I-Worm.ZippedFiles (a.k.a. ExploreZip)

Description I-Worm.ZippedFiles (a.k.a. ExploreZip)

This is a virus-worm spreading via the Internet and local network. Usually it appears as a "Zipped_Files.Exe" file attached to an e-mail. This file itself is a Delphi executable file about 210Kb in length. Most of the file's code is occupied by Delphi run-time libraries, data and classes, and just about 10Kb of code is "pure" worm code.
Upon execution, it installs itself into the system, then sends infected messages (with its attached copy) to addresses found in the e-mail Inbox. To hide its activity, the worm displays the following message:
Error
Cannot open file: it does not appear to be a valid archive. If this file is
part of a ZIP format backup set, insert the last disk of the backup set
and try again. Please press F1 for help.

Installing into the system
To install into the system, the worm copies itself to the Windows directory with the _SETUP.EXE name, and to Windows system directory with the EXPLORE.EXE name, for example:
C:WINDOWS\_SETUP.EXE
C:WINDOWSSYSTEMEXPLORE.EXE - not "EXPLORER.EXE"!

The worm then registers its copy in the Windows configuration files to force the system to execute it each time Windows starts up. To do this, the worm writes a "run=" instruction to Windows configuration files that points to one of the worm files - _SETUP.EXE or EXPLORE.EXE. Depending on the Windows version, this registration process can be made by Windows in two different ways: The worm registers itself either in a WIN.INI file (under Win95/NT), or in the system registry (in case of WinNT).
In the case of Win95/98, the WIN.INI file [windows] section is updated with a "run=" instruction:
WIN.INI file:
[windows]
run=[worm file name]

In the case of WinNT, the same registration procedure affects the registry key:
HKEY_CURRENT_USER
SoftwareMicrosoftWindows NTCurrent VersionWindows: run=[worm file name]

Depending on the worm "status" and system conditions, the worm selects its file name from one of two possible variants - _SETUP.EXE or EXPLORE.EXE. It then may replace an existing value with a second one, and then return to the first name. So, there may be two variants of a "run=" instruction found:
run=_setup.exe
run=C:WINDOWSSYSTEMExplore.exe or run=C:WINNTSYSTEM32Explore.exe

The Worm in the System Memory
The worm then (being registered in the system) stays "memory resident," and is active up to the moment the system shuts down. The worm's task has no active window, and is not visible in the taskbar, but is visible in the task list (Ctrl-Alt-Del) with one of the names the worm uses to name their copies:
Zipped_files
Explore - not "Explorer"!
_setup

The worm does not check its copy already presented in the Windows memory, and as a result, there may be several worm instances found.
Being active as a Windows application, the worm runs four threads of its main process: the installation thread that copies worm files to the Windows directories and registers them, the Internet spreading thread and two file destroying threads.
Spreading by E-mails
The second, and most important, thread sends e-mail messages using any e-mail system based on standard MAPI (Messaging Application Program Interface) - MS Outlook, MS Outlook Express, etc. The worm knocks the installed e-mail system four times trying to log on with different MAPI profiles: a default one, Microsoft Outlook, Microsoft Outlook Internet Settings, and Microsoft Exchange.
Being connected to an e-mail, the worm monitors all arriving messages - in an endless loop, it scans the Inbox for messages, and replies to them. The reply message has the same Subject with a "Re" prefix, and the message body appears as follows:
Hi [recipient name]
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

The message ends with one of two signature variants depending on the worm's success in locating the "sender name" in the e-mail fields:
bye.
sincerely [sender name]

The worm copy is attached to the message with a "Zipped_Files.Exe" name.
The worm does not reply to messages twice, and does not reply to its own messages. To detect already-infected messages, the worm marks them with a TAB character at the end of the Subject string. Each time the worm scans the Inbox for messages, it obtains the Subject field, goes to its end, and skips over the message if a TAB is found there. The worm also does not reply to all messages in the Inbox - only to unread messages.
It is necessary to note that both these conditions--replying to unread messages only and not replying to the same message twice--are optional in the worm's infection routine. In the known worm version, both of them are hard-coded in the aforementioned way, but it is possible that the next worm version will answer all messages in the Inbox each time the worm infection thread gains control.
As a result, the process appears as follows: When the worm starts for the first time on a computer, it sends infected messages by using all unread messages found in the Inbox; it marks them as "infected" by using a TAB character and does not infect anymore; when a new message is received from the Internet and appears in the Inbox, it is immediately "answered" by the worm with the fake text shown above.
Spreading to a Local Network
The worm is able to spread over a local network, and is able to infect remote computers in the case when the Windows directory there is shared for reading and writing (full access). To do this, it enumerates network resources (shared remote drives), and looks for an WIN.INI file in there. In case this file is located, the worm copies its _SETUP.EXE file to this directory and modifies the configuration file there so that Windows on a remote computer will execute the worm file upon the next rebooting (see "Installingall" above).
Payload
The worm has an extremely dangerous payload. Each time it is executed, it runs two more threads that scan directory trees on the local and network drives; look for .C, .H, .CPP, .ASM, .DOC, .XLS, and .PPT (program source and MS Office files) and zeroes them. The worm uses a create-and-close trick that erases file contents and sets file length to zero. As a result, the files become unrecoverable.
As it is mentioned above, there are two file-killing threads: the first is active whenever the worm copy is active in the system until shutting down. In an endless loop, it scans all available drives from C: to Z: and corrupts the files listed above. The second thread is executed only once. It enumerates network resources (shared remote drives), scans them for the same files and also destroys them.

Home