Virus Database

Win95.Radix

Description Win95.Radix

This is a relatively harmless non-memory resident parasitic Win9x virus. It searches for PE EXE files in the current directory, then writes itself to the middle of the file in an unused space at the end of the PE header.
The virus does not manifest itself in any way. It contains the text:
Radix16

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Lovelorn.a

Description I-Worm.Lovelorn.a
Lovelorn spreads via the Internet as an email file attachment. The infected file is a Windows PE EXE file about 100KB in size and written in Borland C++.
Infected emails have the following possible characteristics:
Subject: Re:baby!your friend send this file to you !
Message text: Read this file

Subject: HELP??-
Message text: Helpall

Subject: Re:Get Password mail...
Message text: Enjoy

Subject: There're some Passwords here
Message text: Read File attach .

Subject: Re:Binladen_Sexy.jpg
Message text: run File Attach to extract:BinladenSexy.jpg...

Subject: The Sexy story and 4 sexy picture of BINLADEN !
Message text: Enjoy! BINLADEN:SEXY..

Subject: Re:I Love You...OKE!
Message text: Souvenir for you from file attach...

Subject: A Greeting-card for you .
Message text: See the Greeting-card .

Subject: Re:Kiss you..^@^
Message text: Read file attach

Subject: Guide to ...
Message text: I like Sexy with you.

Subject: Re:Baby! 2000USD,Win this game...
Message text: Play the game from file attach

Subject: Help
Message text: Help.

The name of the attached file is chosen arbitrarily and has the following extensions:
.Kiss.ok.exe
.HTM

The senders return address is falsified.
Installation
When launched the worm codes itself into the Windows system catalog under the following names:

Explorer.exe
Kernel32.exe
Netdll.dll
Serscg.dll

The Lovelorn worm then creates the files Setup.hrm, Bsbk.dll and Netsn.dll, all containing code in the MIME format. The worm then creates the file, 'Findfast.exe' in the Startup folder.
Next, the worm registers itself in the autorun key section of the system registry using the following entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
explorer=%System%explorer.exe

Propagation via Email
The Lovelone worm searches infected (victim) computers for the file extensions, '.dbx' and '.htm'. It then looks within files using these extensions for email addresses that it then records in the file 'Mssys.dll'. The addresses held in this file will be later used as recipients of virus copies. To send out infected email messages, Lovelorn uses a built-in SMTP server.
Infected files
The worm is able to infect PE application files, copying itself into the file headers.
Propagation via diskette
Lovelorn copies itself on the A: drive under the name 'NQH_Kiss_you.exe'.

I-Worm.Lovgate.a

Description I-Worm.Lovgate.a

I-Worm.Lovgate.a (aka Supnot.a) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a backdoor routine. There are several worm variants known which are very similar to each other.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by AsPack.
The compressed file size is about 85K, decompressed size - about 200K.
The worm activates from infected email only when a user clicks on the attached file. While spreading through local area networks the worm tries to run its remote copies by using WinNT functions.
When run the worm installs itself to the system, runs its spreading and backdoor routines.
Installing
While installing the worm copies itself to the Windows system directory under several names and registers these files in the system registry auto-run key (under WinNT) and/or in the "run" command in the WIN.INI file (under Win9x).
Worm copies have the following names:
rpcsrv.exe
syshelp.exe
winrpc.exe
WinGate.exe
WinRpcsrv.exe
The registry keys are:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"Run"="rpcsrv.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"syshelp"="%SystemDir%syshelp.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinGate initialize"="%SystemDir%WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

[HKCR xtfileshellopencommand]
"winrpc.exe %1"
Spreading: email
To spread in emails 'supnot' uses two different methods:
1. The worm looks for "*.HT*"-files (HTM, HTML) in the current directory, Windows directory and the "My Documents" directory (including subdirectories as well), scans them for email-like text strings and sends infected messages to addresses found. To send infected message the worm uses a direct connection to the default SMTP server, or connects to the "smtp.163.com" server.
Following are different variations of 'supnot' message attributes:
Subject:
Text:
Attachment:

Cracks!
Check our list and mail your requests!
CrkList.exe

The patch
I think all will work fine.
Patch.exe

Last Update
This is the last cumulative update.
LUPdate.exe

Do not release
This is the pack ;)
Pack.exe

Beta
Send reply if you want to be official beta tester.
_SetupB.exe

Help
I'm going crazyall please try to find the bug!
Source.exe

Evaluation copy
Test it 30 days for free.
Setup.exe

Pr0n!
Adult content!!! Use with parental advisory.
Sex.exe

Roms
Test this ROM! IT ROCKS!.
Roms.exe

Documents
Send me your comments...
Docs.exe


The worm gets emails from Inboxes and "answers" them by using Windows MAPI functions. Replies look like:
Subject: Re: [original email subject]
Text:

[user name] wrote:
====
> [original email text]
====
[email domain name] account auto-reply:

' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE [email domain name] account now! <

for example:

The attached file name is randomly selected from the following variants:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

Infecting Local Networks
The worm finds network resources (shared writeable disks and directories) and copies itself to them under randomly chosen names:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

If a network resource is password protected it also tries to request 'write' access using the following information:

Login: "guest", "Administrator"
Password: "123", "321", "123456", "654321", "administrator", "admin",
"111111", "666666", "888888", "abc", "abcdef", "abcdefg", "12345678", "abc123"

If the login is successful the worm creates a remote copy of itself named "stg.exe" and tries to launch it on the remote computer.
Backdoor

Supnot launches a "backdoor" routine that uses the IPC (Interprocess Communication) technique: it creates a pipe connected to a command processor that is launched on the victim computer - CMD.EXE in Windows NT/2000/XP or COMMAND.COM in Windows 9x/ME. This allows the worm's "owner" to control the victim computer remotely.
The backdoor is launched three different ways:
as a thread in the worm's process
as a part of the "LSASS.EXE" process (under WinNT)
as stand-alone DLL-files "ily.dll", "Task.dll", "reg.dll" that are stored in the Windows system directory.
The three methods of executing the backdoor carry the identical payload routine.
Other
While sending e-mail messages, the worm creates a temporary file called "CH0016.TMP" in the Windows temporary directory.
The worm also sends a 'notification' e-mail to its "owner" that contains the infected computer's name, IP address, and current user name.
This email contains the following "copyright" string:
My I-WORM-and-IPC-20168 running!

Home