Virus Database

Win95.Yabran

Description Win95.Yabran

It is not a dangerous memory resident parasitic Windows virus. It spreads under Windows95/98 and infects PE EXE files. The virus is not able to spread under WindowsNT. In December on all odd days till 23rd (1st, 3rd, 5th, 7th, all 23rd) and on 24th the virus displays the message:
######$$$$ VIRUS YABRAN $$$######
CREIAN QUE ESTABA MUERTO NO???...JAJAJAJA.
^^by SoPinKy. Argentina.^^ FELICES FIESTAS

While installing into Windows memory the virus jumps from application level to system one (from Ring3 to Ring0). To do that the virus processes system protect mode desctiption tables, gets necessary info from there and modifies them. After that the virus is run as a system driver and is able to access low-level system functions such as VxD calls.
The virus then allocates a block of system memory, copies its code to there, hooks IFS API calls and returns control to host program. The virus intercepts only one file function - file opening. On such calls the virus compares file name extension with "EXE", opens file, parses its internal structure, appends its code to the end of last file section and modifies file header including address of entry point.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Beglur.a

Description I-Worm.Beglur.a

This is a worm which spreads via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file of approximately 8KB. The file is compressed using UPX and Yoda, and is approximately 27KB when uncompressed. It is written in Visual C++
Installation
The worm copies itself to the Windows system directory and registers the file in the SYSTEM.INI auto-run key in the [boot] section in the "shell" key:

shell=Explorer.exe bglr32.exe
Distribution via email
Infected messages contain the following text:
From:
Baath
Subject:
For World of Peace!
Message body:

Saddam Hussien has been captured but Osama Bin Laden still have a power and US will never captured this person until somebody captured Bush. God Bless You!!
The attached file is called
BGLR32.EXE
The worm uses the "IFRAME" breach to launch itself from infected messages.

I-Worm.Beglur.b

Description I-Worm.Beglur.b
This is a worm which spreads via the Internet and local networks as an attachment to infected emails. The worm itself is a Windows PE EXE file of approximately 20KB. The file is compressed using UPX and Yoda, and the uncompressed size is approximately 35KB. It is written in Visual C++ The worm has the following 'copyright' text string:
W32.Narita
Infected messages will contain text in the message fields which is randomly selected from the following:
From:
Microsoft support@microsoft.com
Terrorist George W. Bush president@whitehouse.gov
Terrorist Ariel Sharon pm_eng@pmo.gov.il
careless ch@care.net
media
Rumsfeld rumsfeld@pentagon.net
Maybank security@maybank2u.com
condemn fool@first.gov
Bin Laden osama@fbi.gov
BushScare president@white.gov


Subject:
Hi!
Bad news!
Free porn!
Report!
Hack me!
Bussiness
News!
Warning!
hello
Buy 1 Free 2
Need help!
plz!
Re:
great!
you are!
Your resume
Update
Spend Money
Too easy
oh wow
nice job!
High security
Command lineCreate own disk
keep the File
Help Section
Unknown Header
Possible Word
My Webs
Protokol
Compress Sample
Sensitive Name
Deliver
System Error
microsoft
installer
personal info
sample music
internet proxy


Message body:
check your attachment now!
(empty)
Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
Alex Pravoks
For the truth of love! I have suprise to you! Please baby forgive me!
Ronn Elika
Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
Orlian Jieg
Hello friend,
I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!

A message you have received has been converte to an attachment. I sorry cause that problem.

The name of the attached file is also randomly selected, and will have one of the following extensions: .scr .pif .exe .com .bat
The worm uses the 'IFRAME' security breach to launch itself from infected messages.
Installation
The worm copies itself to the Windows system directory under a random name and registers the file in the SYSTEM.INI auto-run key in the [boot] section in the 'shell' key.
Distribution via email
To get victim email addresses the worm scans files with the following extensions: .TXT .MHT .HTM .HTML .EML .JSE .ASP .DBX .MBX .MMF .TBB .NCH .ODS .VCF .WAB
To send infected messages the worm uses a built-in SMTP engine.
Distribution via networks
The worm copies itself to shared network drives and to all logical drives under a random name, or named 'setup' or 'installer', with one of the following extensions: .scr .pif .exe .com .bat
Other
The worm contains a backdoor routine which will allow a hacker to create, delete, rename files and directories, and execute commands on affected machines.
The worm also attempts to terminate several anti-virus and firewall programs.

Home