Virus Database

WildLicker.3372

Description WildLicker.3372

It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text strings:
3all 2... 1... WILD LICKER !!! a PKWARE+NUKE+TRIDENT virus for your fucked
pentium (bug inside)
thanks to [NuKE] N.R.L.G. AZRAEL
thanks to PKWARE
PKLITE Copr. 1992 PKWARE Inc. All Rights ReservedNot enough memory
and thanks to [ MK / TridenT ]
[TPE 1.4]

The virus seems to be a compilation of two different engines with new ideas of hiding in PKLITE-like code. These engines are virus constructor NRLG and polymorphic generator TPE. The virus installation routine is the same that NRLG viruses use in their code, and the virus code in the file is encrypted by using TPE polymorphic loop.
To mask virus in PKLITE-like code is the main feature of that virus. The jump-to-EntryPoint instruction does not present in clear in the infected file, but is processed by original PKLITE 1.15 decompression code that PKLITE puts to the beginning of COM files while compressing them. As a result, the virus code is encrypted by TPE polymorphic engine, and jump to entry point is hidden in PKLITE code and data.
Infection
When this virus is infecting a file, it allocates a block of memory to use it while infecting, hooks INT 24h to prevent standard DOS error message while accessing write-protected disk, gets and saves file attributes and date&time stamp.
To separate the infected and not infected files the virus uses time and date stamp. It makes logical 'or' operation with seconds field - OR 0Ah, i.e. sets 3rd and 1st bit in stamp. When separating the files the virus checks these bits in stamp and does not infect file, if these bits are set. Moreover, the virus sets this stamp ever it fails to infect the file. As a result all files that have been accessed by this virus have new value in seconds field, and next time the virus ever does not try to infect the file that has been accessed by virus before.
Then the virus compares the internal file format with EXE stamp MZ (the virus does infect only COM files) and checks file length. If the file length is less than 512 bytes or greater than 50K, the virus terminates infection routine.
If all conditions are correct, the virus moves 512 (200h) bytes from file header to the end of file, then overwrites file header with 1CFh bytes of PKLITE entry code. It then runs TPE polymorphic engine, encrypts itself and writes the result to the end of the file:
0000 +-----------+ -------+ +------------+
¦File header¦ ¦ ¦PKLITE entry¦
¦ ¦ ¦ ¦code ¦
¦ ¦ ¦ ¦------------¦
¦ ¦ ¦ ¦ ¦
0200 ¦-----------¦ -+ ¦ ¦------------¦
¦ ¦ ¦ ¦ ¦ ¦
. . . . . . . .
¦ ¦ ¦ ¦ ¦ ¦
FEnd +-----------+ ¦ +-> +------------¦
¦ ¦Original ¦
¦ ¦file header ¦
¦ ¦ ¦
¦ ¦ ¦
FEnd+0200 +-------> ¦------------¦
¦TPE polymorp¦
¦loop ¦
¦------------¦
¦Encrypted ¦
¦virus code ¦
¦ ¦
+------------+

Execution
When an infected file is executed, the control is passed to PKLITE entry code. That code is 100% PKLITE version 1.15 entry code that is saved by PKLITE to the beginning of compressed COM files. When run, that code decompresses a JMP_Virus routine, copies it to the beginning of the program and passes the control to there, the same as original PKLITE routine does.
In detail, 1CFh bytes that the virus saves to beginning of the file decompress themselves to 200h bytes data that is filled with zero byte and contain the instruction JMP NEAR Virus_Entry (E9h XXXXh) at the top:
Before decompression After decompression
0000 +------------+ +------------+
¦PKLITE entry¦ ¦JMP Near ¦ ---+
¦code ¦ ¦ ¦ ¦
¦------------¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦
0200 ¦------------¦ ¦------------¦ ¦
¦ ¦ ¦ ¦ ¦
. . . . . . . . ¦
¦ ¦ ¦ ¦ ¦
FEnd +------------¦ +------------¦ ¦
¦Original ¦ ¦Original ¦ ¦
¦file header ¦ ¦file header ¦ ¦
¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦
FEnd+ ¦------------¦ ¦------------¦ <--+
0200 ¦TPE polymorp¦ ¦TPE polymorp¦
¦loop ¦ ¦loop ¦
¦------------¦ ¦------------¦
¦Encrypted ¦ ¦Encrypted ¦
¦virus code ¦ ¦virus code ¦
¦ ¦ ¦ ¦
+------------+ +------------+

If someone tries to decompress any infected file, decompression brings just 200h-bytes file with JMP-out-of-file command at file beginning. By PKLITE's point of view, the file contains just 200h bytes, and all other data are just like some kind of internal overlay. As a result, decompression corrupts the file and erases the virus code.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Guorm.a

Description I-Worm.Guorm.a

This is an Internet worm that spreads itself as an attachment to e-mail messages. To send infected messages, the worm uses VBS script and MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
There are several versions of the worm. The first is a pure VBS script; another is a Windows executable file that drops a VBS script to infect e-mail messages; the third is an MS Word document with a macro-program inside. All of these worm versions have similar functionality and infect the system in very similar ways.
When the worm file is activated (by double clicking on an attached file in infected messages, or being accepted as an IRC download), it copies itself into the WINDOWS System directory with different names depending on the version:
USER.DLL, WINUSER.EXE
WINUSER.DLL, USER32.DLL.VBS
The worm does not register these files in the system, so these files are not automatically executed then.
The name of the Windows directory is hardcoded in the 1st virus version body (C:WINDOWSSYSTEM), so the virus is not able to spread in the case that Windows is installed in another folder.
While mailing its copies, the worm drops a GUORM.VBS script file (or GUORMEX.VBS - depending on the version) to the Windows TEMP directory and spawns it. The script program connects MS Outlook, gains access to the address book and sends worm copies to all addresses listed there. The worm messages contain:
Subject: You know what it is!. ;-P
Body: Hey, here you have!.
The attachment name differs depending on the worm version. The first worm version (sent as a Windows EXE file) has only one variant of the attached file name in infected messages: WINUSER.EXE
Other versions use a combination of randomly-selected names and extensions from the following variants:
Extensions: .VBS, .VBE, .TXT.VBS, .JPG.VBS, .AVI.VBS, .SCR.VBS
Names: links, cool, funny, anti-loveletter, guorm, pot, win2k, icq2k, money, funnypic.jpg, quake, Year2K+1, Mirc2K, Word2001, FunStuff, WindowsMe
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). This file contains a set of instructions that sends a worm file to everybody who enters an infected channel.
The worm contains the following "copyright" texts:
BrainMuscle + OldWary + KALAMAR
Guorm

I-Worm.Hadra

Description I-Worm.Hadra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.
When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
All these "Run=" keys then have the string value that runs the worm copy upon each Windows start-up:
msservice = %WinDir%msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.
On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:
[I-Worm.Hydra] allby gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software on an infected computer (see more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE name from the following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates, in the Windows directory, the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
msseti = WScript.exe %WinDir% un_msseti.vbs"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
msseti = WScript.exe %WinDir% un_msseti.vbs"
The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic

Home