Virus Database

Win32.Elkern.c

Description Win32.Elkern.c

Elkern is a harmless encrypted resident parasitic Win32 virus.
It searches recursively for Win32 EXE applications (PE EXE files) with .SCR and .EXE extensions in the current directory on fixed and network drives and all available network resources, and infects them.
The virus doesn't infect files if they have tem32dllcac(part of System32dllcache) or rary Inter (part of the Temporary Internet Files) in their full path.
While infecting the virus writes itself to the file in separate blocks, similar to the Win95.CIH infection routine.
The virus has a bug that may cause double infections. Despite this infected files work without any problem.
The virus stays in memory, and infects all active processes that don't have explorer in their name. It copies a part of its body into the process and then intercepts DispatchMessageA and DispatchMessageW functions. When one of these functions is called, the virus activates its copy into the current process.
The Elkern virus doesn't reveal itself overtly in any way.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sobig.c

Description I-Worm.Sobig.c

Sobig.c is a worm virus spreading via the Internet as an infected e-mail file attachment. The worm also spreads via network resources.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by the UPX compression utility. The file's size is about 60K or higher when compressed with UPX, while the decompressed size is about 120K.
The worm is activated from infected email only if a user clicks on the attached file.
When run the worm installs itself to the system and runs a spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name mscvb32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
System MScvb = %WindowsDir%mscvb32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System MScvb = %WindowsDir%mscvb32.exe

Spreading: email
To send out infected messages the worm uses a direct connection to the default SMTP server.
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives. It gets email-like strings from the files that are found.
Message attributes include:
The "From" field has a fake email address that is either found on the particular infected machine or "bill@microsoft.com"
Subject:
Re: Screensaver
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556B37DB6480EC9657E
Re: Approved
Approved78A85131
Re: Your application
Re: Application

Message Body:
Please see the attached file.

Attached file name:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif

The messages are also sent with attached files that have the file name's last letter cut:

screensaver.sc
movie.pi
submited.pi
45443.pi
documents.pi
approved.pi
application.pi
document.pi


The Sobig.c worm also creates the file msddr.dat in the Windows directory and writes to this file the email addresses that were found on the infected machine.
Spreading via networks
The worm accounts for all accessible network resources (other computers in a network) and copies itself into their auto-start directoris (if there are such subdirectories)
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

Updating
The worm downloads files from four Web locations (these locations are "hardcoded" into the worm body) and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or install other applications such as trojan programs and spyware.
Other
All worm routines (except the "Updating" feature) are active until June 8, 2003 only. This means the worm does not run its spreading routines (both email and network) after June 8, 2003.

I-Worm.Sobig.e

Description I-Worm.Sobig.e
Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.
Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.
The Sobig.e worm activates from an infected email only when a user clicks on or unzips the attached file depending on the attachment's specific format.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name winssk32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
SSK Service = %WindowsDir%winssk32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SSK Service = %WindowsDir%winssk32.exe

Spreading: email
To send infected messages the worm uses a via a built-in SMTP engine. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, and .WAB files in all directrories on all available local drives. From the files it finds Sobig.e retrieves email-like strings.
Below are variations of Sobig.e message content:
The "From" field has fake email address (found on the infected machine) or "support@yahoo.com"

Subject:

"Re: Movie"
"Re: Movies"
"Re: Submited (Ref: 003746)"
"Re: Screensaver"
"Re: Documents"
"Re: Re: Application ref. 003644"
"Re: Re: Document"
"Your application"



Message Body:

'Please see the attached zip file for details.'

Attached file name:

"details.pif"
"application.zip"
"application.pif"
"document.zip"
"document.pif"
"screensaver.zip"
"sky_world.scr"
"Movie.zip"
"Movie.pif"

The files with the "zip" extension are archives that contain the worm's executable file.
The worm also creates the file msrrf.dat in the Windows directory and writes to this file the email addresses that were found on an infected machine.
Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its "master", and receives data from its "master". The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or to install other applications (trojan programs for example).
Other
All worm routines (except "Updating" - see above) are active until July 14, 2003. This means the worm does not run its spreading (both email and network) routines after July 14, 2003.

Home