Virus Database

Weak.1253

Description Weak.1253

Weak.1253 is a memory resident dangerous parasitic stealth virus. It is compressed by utility PKLITE and after installation it reads its compressed body, saves it in memory and then uses while infection. The virus writes itself into file beginning when the file is created (when file is copied): the virus hooks DOS function Create, creates the file, writes into file the virus body and then returns to DOS. Then DOS appends the file to virus body. Therefore it is not necessary to check INT 24h, the file' date, time and attributes.
While access to file the virus uses the stealth algorithm: it hooks DOS function Lseek (ah=42h) and corrects the read/write pointer so that file looks like a clear. The virus also hooks DOS functions FindFirst and FindNext ASCII and correct the returned length of infected file. But the virus not checks the FCB Find functions and can break some utilities.
During installation into the system memory the virus uses the legal method - int 27h. The virus also corrects the Environment area: sets the owner name to COMMAND.COM. With this method the virus hides itself in memory. It also hooks INT 21h, 22h, 23h, 24h.
The virus contains the text: "Et tu vulneratus es sicut et nos, nostri similis effectus esall".

Check other viruses! Be aware! Use Antiviral Software

Backdoor.CyberSpy

Description Backdoor.CyberSpy

Backdoor.CyberSpy is a malicious program which portrays itself as a telnet-server. It informs its creator about the presence of networks via either e-mail or ICQ and contains a component allowing it to make adjustments.
Upon execution of this program the virus copies itself into the Windows system directory and registers itself in the system registry so that it will start each time an infected system is rebooted. Once this is done it sends a notice via e-mail or ICQ (according to settings made by its author), and then begins to listen to a given TCP/IP port clandestinely. Having received the message sent back by the virus (information about specific networks sent back by the virus via ICQ or e-mail), the hacker controlling Backdoor.CyberSpy, with the help of any telnet-client, gains access to a victim computer's command line (prompt).

Backdoor.Death.18

Description Backdoor.Death.18

Backdoor Death is a Trojan horse family. These Trojan programs allow remote, anonymous access to victim computers and permit hackers to steal user passwords. Backdoor Death has three components: server, client and a utility used to set up server components.
Set-up Utility
This utility lets the hacker(s) controlling the backdoor Trojan to configure the server according to their requirements - for example they can: change the file server name, register in the system, make server icons, send email with stolen passwords, alter firewall settings (if victim computers have one installed), and more.
Server Component
Upon sever boot the backdoor code is copied to the system directory according the settings determined by the set-up utility. The server registers itself either in the system registry or in the file system.ini or win.ini directories. In this way the server ensures its code is run upon operating system boot or reboot. The server component is able to determine if any other viruses are currently infecting a victim computer. If one is detected Backdoor.Death shuts it down so that it does not get in the way of updating server components. In addition the server program is able to determine any installed firewall on victim machines, and is able to remove from memory firewall processes so that Backdoor.Death's controllers can transfer information over a network undetected.
Additionally, the server component monitors keyboard activity and records all keys pressed in a log file, which can then be analyzed by the virus' controller. The server component can also steal user login and password information and send this information back to Backdoor.Death's contoller(s) via email - according to the settings chosen in the server setup utility. When connecting to the Internet the server component sends a message to the site http://Idteam.org where the hackers controlling Backdoor.Death can register and see which computers are currently accessible.
Client Component
The Client component allows hackers controlling Backdoor.Death code to connect to the server component and perform an array of actions such as:
- viewing password information cached in the system
- viewing the list of open windows
- manipulating system files (copy, alter, delete and catalog)
- taking screen shots of the desktop
- manipulating the registry
- sending messages to victims or summoning victims for "chatting"

Home