Virus Database

Blah.3385

Description Blah.3385

These are dangerous memory resident stealth multipartite viruses. They hook INT 13h, 21h and write themselves into MBR of hard drive and into beginning of .BAT-files. They contain the internal text string:
Blah virus (DA/PS)

On the hard drive, the virus occupies three sectors starting from MBR of hard drive, the fourth sector contains original MBR. On infection of BAT-files the virus encodes itself with some BIN-to-ASCII algorithm, and writes the result and several DOS command strings into the BAT-files beginning (texts between '[' and ']' are comments):
@echo [ binary data ] >ƒ.com
@echo [ binary data ] >>ƒ.com
@echo [ text data ] >>ƒ.com
@echo [ text data ] >>ƒ.com
[ repeated all ]
@echo [ text data ] >>ƒ.com
@if %0. == . ƒ
@ƒ
@del ƒ.com
@if %0. == . autoexec
@%0

The binary data contains the ASCII-to-BIN decoder, the text data contains the main virus body is converted to ASCII text strings (a'la UUencode/XXencode).
On execution of such BAT-file the virus creates the file ƒ.COM , then writes decoder and ASCII data into there, and executes that file. Being executed the virus (from the ƒ.COM file) decodes itself from ASCII text into binary code, installs itself memory resident, hooks INT 13h, 21h and returns the control back to infected BAT-file. The rest of codes of BAT-file deletes ƒ.COM file, and then executes the host BAT-file again. The already installed virus stealth routine does not allow the virus BAT-code to be executed twice, and the original code of infected BAT-file receives the control.
The virus pays special attention to AUTOEXEC.BAT file because it is special BAT-file: on first execution of AUTOEXEC.BAT (on DOS loading) the command "%0" does not return the file name, on any other execution of BAT files "%0" command contains the name of the host file.
While execution of decoded body of the virus it check the system memory with "Are you here?" call (INT 21h, AH=62h, DX=F904h), and passes the control to the installation routine. That routine cut the block of the system memory by decreasing of the system memory size (the word at address 0000:0413h), copies the virus into that memory block, hooks INT 13h and INT 21h, and passes the control to MBR infection code.
That code reads MBR of hard drive, checks the virus ID-stamps (the word 6540h at the offset 010Ah), checks the partition table, and overwrites the first four sectors of hard drive with the virus code, the last (fourth) sectors contains the code of original MBR. After infection of the hard drive MBR the virus returns the control to host BAT-file.
On loading from infected MBR the virus calls installation routine that is practically the same as on loading from infected file. The virus decreases the size of system memory, copies itself into there, hooks INT 13h and returns the control to original MBR code. On INT 13h calls it checks INT 21h handler's address, and if it points to DOS addresses the virus hooks INT 21h.
The INT 21h virus handler intercepts five DOS functions:
AH/AX (hex) function
--------- --------
11,12 FindFirst/Next FCB (DIR command)
3D00 Open file
3F Read from file
62 Get PSP

On FindFirst/Next calls the virus "decreases" the length of infected BAT-files, to separate the infected and not infected files the virus uses virus ID stamp in the file time and date stamp - the infected files have 62 seconds stamp.
On Get PSP calls with DX=F904h (the virus "Are you here?" call) it disables the virus INT 13h and 21h handlers, and returns. I see no reason for that call because the virus code cannot be executed twice - the INT 13h/21h stealth routines redirect the accessing to original bodies of BAT-files and MBR.
On Open File calls the virus hooks INT 24h to prevent the DOS error message on writing to write-protected disks, checks the file extension for "BAT", opens that file using the undocumented System File Table, check is the file already infected, and infects it.
On Read from File calls the virus checks is the file infected, and substitutes the infected files with their original (not infected) forms. That code it the virus stealth routine.
While checking is the file already infected (on Open File and Read from File calls) the virus reads the file header and compares the first 108 (6Ch) bytes with the virus code.
During infection the virus moves the file body down for 3385 bytes, and writes into the file beginning the 3385 bytes of virus code: ASCII-to-BIN decoder, the converted to ASCII virus code, and the additional DOS command as it is written above.
INT 13h virus handler intercepts two functions only: Read and Write (AH=2,3), and on accessing to hard drive only. On both calls the virus infects MBR (if it is not infected yet) and performs the stealth routine.
It has a bug - the boot/MBR sector stamp 55AAh is placed at the wrong offset in the virus body (01FFh instead of 01FEh), it causes system error message on loading from such MBR, and the hard drive stays as not available.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.b

Description I-Worm.Mydoom.b
Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.
Part of the body of the worm is encrypted.
The unpacked file contains the following text:
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:
During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System%explorer.exe"
The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"Apartment" = "%SysDir%ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Body in the temporary directory (usually in %windir% emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.
Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com


Mailing letters
Emails are sent in the same way that Mydoom.a uses except for the following changes.
The body text is chosen at random from the following:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.
Propagation via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions:
bat
exe
scr
pif

I-Worm.Mydoom.e

Description I-Worm.Mydoom.e

This worm has also been called Mydoom.F, and is a modification of Mydoom.a.
It spreads via the Internet as a file attached to infected messages. The worm is a PE EXE file of 33KB or slightly larger, packed using UPX. The unpacked file is approximately 55KB in size. The worm is also able to send itself as a ZIP archive.
The worm is only activated if the user opens the archive and launches the infected file, by clicking twice on the attachment. The worm then installs itself on the systems and starts propagation.
The worm includes a backdoor function, and is programmed to carry out DoS attacks on www.microsoft.com and www.riaa.com
Everything points to this worm not being an original creation, but a separate version which has been created around the orignal source code of Mydoom.a. Part of the original code is present in this version, even though it serves no useful function.
Installation
Once launched, the worm may display a fake error message on the screen: 'File is corrupted,' 'File cannot be opened,' or 'Unable to open specified file'.
The worm may also create a file in the temporary system directory. This file contains a random selection of characters, and the worm may open it using Notepad.
It also creates a mutex 'jmydoat name of infected computer Xmtx' to flag its presence in the system.
When installing, the worm copies itself under a random name to the Windows system directory and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
random characters = "%System% ame of worm file
The worm then searchs all accessible disks from C: to Z: and copies itself under random names to all disks which it finds which include the words
shar
startup
start
in the name.
The worm creates a file with a random name and .dll extension in the Windows system directory. This file is 9724 bytes in size, and is the backdoor component, which is intended to open a backdoor on port 1080 and act as a proxy server.
The worm creates several copies of itself as ZIP archives in the Windows root directory. These files are then used to send mass emails. In order to flag its presence in the system, the worm also creates several additional keys in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionShell HKCUSoftwareMicrosoftWindowsCurrentVersionShell
Sending of email
In order to send copies of itself, the worm searches all accessible disks from C: to Z: for files with the following extensions:
wab
mbx
nch
mmf
ods
rtf
uin
oft
mht
vbs
msg
pl
eml
adb
tbb
dbx
asp
php
sht
htm
txt
It then sends itself to all email addresses found in these files.
Infected emails have the following characteristics:
Sender's address: any address found on the infected machine, or chosen from the following list
jerry
bill
smith
jim
sam
james
alex
A random selection of characters may also be used. In this case, after the @ symbol in the sender's address, one of the following domains will be used:
aol.com
msn.com
yahoo.com
hotmail.com
edu
Message header: (chosen at random)
hello
hi
Announcement
read now!
forget
bug
unknown
fake
Wanted
recent news
news
stolen
Attention
Accident
Schedule
Re: Thank you
Thank you
Re: Details
Details
Re: Approved
Approved
hi, it's me
Important
Readme
Read this message
please read
please reply
Thank You very very much
You use illegal File Sharingall
Your IP was logged
Your account is about to be expired
Love is
Love is...
Undeliverable message
Re:
Your order was registered
Your request was registered
Your order is being processed
Your request is being processed
Current Status
Your credit card
Read it immediately!
Read this
Read it immediately
Something for you
For you
For your information
Information
Warning
You have 1 day left
automatic notification
automatic responder
Notification
Expired account
Your account has expired
Registration confirmation
Confirmation
Confirmation Required
Returned Mail
Message body: (chosen at random)
Greetings
See you
Here it is
You are bad
Take it
Reply
Please, reply
Okay
OK
Everything ok?
Check the attached document.
The document was sent in compressed format.
Please see the attached file for details
See the attached file for details
Details are in the attached document. You need Microsoft Office to open it. Information about you
We have received this document from your e-mail.
Kill the writer of this document!
Something about you
I have your password :)
You are a bad writer
Is that yours?
Is that from you?
I wait for your reply.
Here is the document.
Read the details.
I'm waiting
Attachment name: (chosen at random)
body
message
test
data
file
text
readme
document
doc
msg
photo
resume
image
object
website
friend
jokes
joke
approved
paypal
disc
misc
part3
part2
part4
part1
mail2
list
mail
story
about
money
check
product
notes
your_document
note
information
textfile
posting
post
stuff
attachment
creditcard
or a selection of random characters.
The attached file has one of the following extensions:
exe
scr
com
pif
bat
cmd
zip
and a second extension from the following list:
doc
htm
rtf
xls
jpg
gif
png
txt
exe
pif
scr
DoS attacks
If the system date is showing between the 17th and the 22nd of the month, there is a 60% that the worm will carry out a DoS attack on www.microsoft.com and a 30% chance that it will carry out a DoS attack on www.riaa.com. Mydoom.e will perform DoS attacks in exactly the same way as the other versions of Mydoom did, by sending multiple GET requests to port 80 of the site under attack.
Deletion of files
The worm searches all accessible disks from C: to Z: for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp and uses a random number generator to determine which files with these extensions should be deleted.
Other
The worm searches memory for processes containing the following text:
reged
taskmo
taskmg avp.
avp32
norton
navapw
navw3
intrena
mcafe
and attempts to stop them.

Home