Virus Database

Win32.Zaprom.2756

Description Win32.Zaprom.2756
Zaprom is a memory resident parasitic Win32 virus that uses a nonstandard way of infection and memory installation.
The Zaprom virus affects PE EXE files only. It infects them in the 'middle' of the files. After conducting some tests to determine if a file can be infected, the virus reads a block in the file code section, appends encrypted virus code, and compresses and writes back to the code section (to the middle of the file). As a result the file length does not grow during infection.
When the infected file is run the virus infects the "Shell32.dll" file in the Windows system directory. The virus then hooks two Windows API functions (file opening and execution) and infects .EXE and .DLL files that are accessed by these functions.
The Zaprom virus does not manifest itself. It contains the text string:

PR0Mi$E$/ZLA$H

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Galil

Description I-Worm.Galil

This is a worm virus spreading via the Internet being attached to infected emails. The worm consists of several components. All of them are Windows PE EXE files, written in Visual Basic.
Main file: "iLLeGaL.exe", about 81K of size
Spreading component: "Mplayer.exe", about 14K (compressed by UPX, decompressed - 37K)
SMTP control: "SMTP.ocx", about 26K (compressed by UPX, decompressed - 90K)

Installing
When the main worm file is run it installs itself and its components to the system. While installing the worm copies its main file to the Windows system directory with the name "iLLegGaL.exe". Other worm components are installed to the same directory. The "Mplayer.exe" component is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
iLLeGaL = %SystemDir%Mplayer.exe

The worm then displays a fake Flash animation and the message:
Sorry !
Looooooooool , thanx fo da time u spent thinkin ov me

Spreading
The worm reads victim emails from the MS Outlook address book and searches for email addresses in .HTM and .HTML files. To send infected messages the worm uses direct connection to SMTP server.
The infected messages have:
Subject: Fwd: Crazy illegal sex !
Body: is randomly selected from a file on C: drive
Attach: "iLLeGal.exe" or "illegalSex.zip"

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Payload
The worm creates new key (counter) in system registry:
HKLMiLLeGal

This counter is being increased on each worm start. When the counter reaches '5' the worm deletes all files on the D: E: F: G: drives and then displays the message:
ZaCker
No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r

I-Worm.Ganda

Description I-Worm.Ganda
Ganda is a worm virus spreading via the Internet as an email attachment. It inserts its component into executable Win32 PE EXE files and protects itself against anti-virus programs.
The worm itself is a Windows PE EXE file that is 45056 bytes in size. It is written in the Assembler programming language and contains the following encrypted strings:
[WORM.SWEDENSUX] Coded by Uncle Roger in HÄrnÃsand, Sweden, 03.03.
I am being discriminated by the swedish schoolsystem. This is a response
to eight long years of discrimination.
I support animal-liberators worldwide.

The messages with the worm contain the text strings (secondary strings may be ignored by E-mail programs):

--part1
Content-type: multipart/alternative; boundary="part2"

--part2
Content-type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Myzli!

--part2
Content-type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Massage body


--part2--

--part1
Content-type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xx.scr"

A title and a message body are selected from the following variants in English and in Swedish. The language chosen depends on a computer's language settings.
Swedish message variants:
Variant 1:
Title: =?iso-8859-1?Q?Olaglig_sk=E4rmsl=E4ckare=3F?=

Message body:

Hej!

Min son visade mig denna sk=E4rmsl=E4ckare som jag misst=E4nker kan =
bryta mot lagen om hets mot folkgrupp. Eftersom du =E4r verksam som =
jurist, s=E5 vore jag tacksam f=F6r en fackmans syn p=E5 saken. Tack =
p=E5 f=F6rhand.

Variant 2:
Title: Rashets eller inte?

Message body:

Hejsan!

Min datal=E4rare gjorde mig uppm=E4rksam p=E5 att denna =
sk=E4rmsl=E4ckare m=F6jligen kan t=E4nkas vara ett verk av rasister. Nu =
vet jag varken ut eller in, eftersom jag hade t=E4nkt anv=E4nda den p=E5 =
min skoldator. B=F6r jag att forts=E4tta att anv=E4nda den? Svara helst =
snarast.
Tack p=E5 f=F6rhand.

Variant 3:
Title: Hakkors.

Message body:

Hej!

Min klassf=F6rest=E5ndare gick i taket n=E4r hon fick se =
sk=E4rmsl=E4ckaren som jag har anv=E4nt under tv=E5 terminer. Hon =
anklagade mig f=F6r antisemitism eftersom den ibland visar ett hakkors. ='
Tycker du att jag b=F6r acceptera detta fr=E5n henne? Vore tacksam f=F6r =
ett utl=E5tande fr=E5n dig. Svara helst s=E5 snart det g=E5r.

Variant 4:
Title: Suspekta semaforer.

Message body:

Hejsan !

I skolan hittade jag en CD skiva som inneh=F6ll bl.a denna =
sk=E4rmsl=E4ckare. En l=E4rare som r=E5kade kasta ett =F6ga p=E5 den =
avf=E4rdade dess inneh=E5ll som ren rasistisk propaganda. Sj=E4lv tycker =
jag inte att det =E4r n=E5got att
orda om. Vore tacksam f=F6r din uppfattning. Tack p=E5 f=F6rhand.

Variant 5:
Title: =?iso-8859-1?Q?Avskyv=E4rd_reklam.?=

Message body:

Hej!

Min minder=E5rige son fick denna sk=E4rmsl=E4ckare p=E5 en CD skiva via =
ett massutskick av reklam. Jag uppr=F6rs =F6ver det s=E4tt p=E5 vilket =
rasistiska och nazistiska propagandister till=E5ts f=F6rmedla sin =
avskyv=E4rda ideologitill barn. Jag =F6verv=E4ger nu att polisanm=E4la detta tilltag s=E5 =
snart du, i egenskap av juridisk fackman, delgett mig din =E5sikt. Tack =
p=E5 f=F6rhand.

Variant 6:
Title: =?iso-8859-1?Q?=D6verviktiga_f=F6rnedras.?=

Message body:

Hejsan !

Jag =F6verv=E4ger att polisanm=E4la denna sk=E4rmsl=E4ckare. Jag anser =
att den har en nedl=E5tande attityd gentemot =F6verviktiga personer. Jag =
skulle bli ytterst tacksam om du kunde bidra med din syn p=E5 saken.
Tack p=E5 f=F6rhand.

Variant 7:
Title: Go ack ack ackall.

Message body:

Hej igen!

Den h=E4r sk=E4rmsl=E4ckaren verkar vara en amerikansk parodi p=E5 =
n=E5got som svenskarna g=F6r p=E5 midsommar. Skratta inte ihj=E4l dig =
bara. :-)

Variant 8:
Title: =?iso-8859-1?Q?=C4r_USA_ett_UFO=3F?=

Message body:

Hej igen!

H=E4r =E4r sk=E4rmsl=E4ckare nummer 4. Kolla in den och tala sedan om =
f=F6r mig att George W Bush INTE =E4r en rymdvarelse. ;-)

Variant 9:
Title: Korkad president.

Message body:

Hej igen!

H=E4r =E4r sk=E4rmsl=E4ckaren som jag snackade om. George W Bush verkar =
inte vara allf=F6r bright om man ska tro brittiska komiker. '
:-)

Variant 10:
Title: Katt, hund, kanin.

Message body:

Hej igen!

Om du gillar djur s=E5 m=E5ste denna sk=E4rmsl=E4ckare vara n=E5't f=F6r =
dig. Mjau, Voff, Arf Arf.... ;-)

English message variants:
Variant 1:
Title: Screensaver advice.

Message body:

Do you think this screensaver could be considered illegal? Would =
appreciate if you or any one of your friends could check it out and =
answer as soon as
humanly possible. Thanx !

Variant 2:
Title: Spy pics.

Message body:

Here's the screensaver i told you about. It contains pictures taken by =
one of the US spy satellites during one of it's missions over iraq. If =
you want more of these pic's you know where you can find me. Bye!

Variant 3:
Title: GO USA !!!!

Message body:

This screensaver animates the star spangled banner. Please support the =
US administration in their fight against terror. Thanx a lot!

Variant 4:
Title: G.W Bush animation.

Message body:

Here's the animation that the FBI wants to stop. Seems like the feds are =
trying to put an end to peoples right to say what they think of the US =
administration. Have fun!

Variant 5:
Title: Is USA a UFO?

Message body:

Have a look at this screensaver, and then tell me that George.W Bush is =
not an alien. ;-)

Variant 6:
Title: Is USA always number one?

Message body:

Some misguided people actually believe that an american life has a =
greater value than those of other nationalities. Just have a look at =
this pathetic screensaver and then you'll know what i'm talking about. =
All the best.

Variant 7:
Title: LINUX.

Message body:

Are you a windows user who is curious about the linux environment? This =
screensaver gives you a preview of the KDE and GNOME desktops. What's =
more, LINUX is a free system, meaning anyone can download it.

Variant 8:
Title: Nazi propaganda?

Message body:

This screensaver has been banned in Germany. It contains a number of =
animated symbols that can be related to the nazi culture. What do you =
think, is it a legitimate ban or not? Please answer asap. Thanx!

Variant 9:
Title: Catlover.

Message body:

If you like cats you'll love this screensaver. It's four animated =
kittens running around on the screen. Contact me for more clipart. Have =
fun! ;-)

Variant 10:
Title: Disgusting propaganda.

Message body:

Hello! My 12 year old doughter received this screensaver on a CDROM that =
was sent to her through advertising. I find it disturbing that children =
are now being targets of nazi organizations. I would appreciate to hear =
from you on this matter, as soon as possible. Thank you.

The attachment file's name follows a system where the name is:
xx.scr (where 'XX' is two random letters ranging from 'a' to 'z')
The worm activates only if a user clicks on the infected attached file. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory under the name SCANDISK.exe and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
ScanDisk=SCANDISK.exe

The worm also copies itself under a random name (8 characters long with letters ranging from 'a' to 'z'+ ".exe") to the Windows directory.
Spreading
To send out infected messages the worm uses the SMTP server. It scans the WAB database and looks for files by mask: "*.eml", "*.*htm*", " *.dbx" and scans for e-mail addresses inside these files.
The worm inserts its component into the following executable file types: Win32 PE EXE
The worm searches the local disk for all .EXE files and .SCR files and looks for special commands. If such commands are found it inserts its component into the last section of PE files. The worm also inserts the JMP command inside PE files. The inserted component executes the main worm body from the windows directory. The component code contains the following strings:

KERNEL32.DLL
CreateProcessA GlobalAlloc GetWindowsDirectoryA SetCurrentDirectoryA
CreateProcessA
hvjxlzna.EXE

The Ganda worm defends itself against anti-virus programs. The worm terminates active processes in code found to contain the following text strings:

virus
firewall
f-secure
symantec
mcafee
pc-cillin
trend micro
kaspersky
sophos
norton

Ganda scans inside files from the system registry tree:
HKLMSystemCurrentControlSetServicesVxD

and deletes entries for files with anti-virus strings. The worm also scans inside files that pointed to by the registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

The Ganda worm inserts the RET command into the Entry Point of files found to have anti-virus strings.
Payloads
The worm sends out an email message each time it infects a machine, the message contains the following characteristics:
From:

skrattahaha@hotmail.com

To:

red@fna.se
debatt@svt.se
susanne.sjostedt@tidningen.to
skolverket@skolverket.se
mary.martensson@aftonbladet.se
katarina.sternudd@aftonbladet.se
cecilia.gustavsson@aftonbladet.se
jessica.ritzen@aftonbladet.se
margareta.cronquist@tidningen.to
annika.sohlander@aftonbladet.se
kerstin.danielson@aftonbladet.se
insandare@tidningen.to
insandare@aftonbladet.se

The message title or subject is:
DISKRIMINERAD !!!!
The message body contains text written in the Swedish language.

Home