Virus Database

WoodGoblin.2413

Description WoodGoblin.2413

It is a very dangerous memory resident polymorphic parasitic virus. It traces and hooks INT 21h, leaves its TSR copy in UMB and then writes itself to the end of EXE files that are accessed by FindFirst/Next ASCII DOS functions. While infecting a file the virus encrypt 10 blocks in the file at random selected offsets. The virus checks the file name and does not infect the files
AI*.EXE, AD*.EXE, WE*.EXE, VD*.EXE, VS*.EXE, MS*.EXE, HI*.EXE, DR*.EXE

While writing to the disk files (INT 21h, AH=40h) the virus depending on the system timer erases random selected disk sector. The virus contains the text strings:
AIADWEVDVSMSHIDR
WG03 Copyright (C) 1995-1996 by WoodGoblin

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Coronex.a

Description I-Worm.Coronex.a

Coronex is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself to the "C:My Downloads" directory that may cause other ways of spreading.
The worm itself is a Windows PE EXE file about 12KB in length and is written in Assembler.
The worm activates (from an infected email message) only when a user clicks on the attached file. If this happens the worm starts its installation and spreading routines.
Installing
While installing the worm copies itself to the Windows directory under the name "corona.exe" registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
PC-Config32 = %WinDir%corona.exe

The installation procedure contains bugs, therefore the worm often is not able to install itself into the system, however, despite this the worm is still able to activate its spreading routines.
Spreading: E-Mail
To send infected messages the worm uses a direct connection to the "ns.execulink.com" SMTP server. To get victim email addresses the worm scans the WAB database (Windows Address Book).
The worm activates its spreading routine once per hour (minute:seconds = 1:1).
Infected messages have different "From", "Subject", and "Message body" fields and "Attachment" file names:
'sars@hotmail.com'
SARS
Severe Acute Respiratory Syndrome
sars.exe

'sars2@hotmail.com'
I need your help
Severe Acute Respiratory Syndrome
corona.exe

'corona@hotmail.com'
Virus Alert!
SARS Virus
virus.exe

'virus@yahoo.com'
Corona Virus
honk kong
hongkong.exe

'deaths@china.com'
bye
deaths virus
deaths.exe

'virus@china.com'
SARS
SEE Ya
sars2.exe

'virus2@china.com'
SARS Virus
SARS Corona Virus
cv.exe

Spreading: MyDownloads
The Coronex worm copies itself to "C:My Downloads" using the following names:
'Cossacks Full Version.exe'
'Battlefield 1942 (full).exe'
'Warcraft III Full.exe'
'Jedi Knight II.exe'
'Quake 3 Full Version.exe'
'Starcraft full.exe'
'Doom 3.exe'
'Tribes 2 (full).exe'
'Rainbow 6 Full.exe'
'Oni full.exe'
'White and Black.exe'
'Return to Castle Wolfenstien (Full).exe'
'Command & Conquer: Generals.exe'
'Black Hawk Down (full).exe'
'The Sims: Unleashed.exe'
'Age Of Mythology.exe'
'Dark Age of Camelot.exe'
'Ultima Online.exe'
'The Lord of the Rings.exe'
'Medel Of Honor: Allied Assault.exe'
'Grand Theft Auto 3 (full).exe'
'Unreal 2: The Awakening (full).exe'
'Unreal.exe'
'Master Of Orion 3.exe'

After copying itself the worm increases its copy file length to several megabytes.
If there is no "C:My Downloads" directory, the Coronex worm copies itself to current directory.
Payload
The initial time the worm is run it displays the following message:

Coronex also sets the Internet Explorer StartPage (defualt page) to the World Health Organization's Web page dedicated to the SARS virus:
http://www.who.int/csr/don/2003_04_19/en

I-Worm.Cosol

Description I-Worm.Cosol

Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.
The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.
The infected messages have an attached EXE file with a name randomly selected from the following variants:
cosol.exe
mirch.exe
myprog.exe
Anti.exe
projekt2.exe
eb.exe
Vis.exe
msn.exe
Buch.exe
Tach.exe
The message body is also randomly selected from several variants:
Heloo!!!
I send you this program
I think you like it

Hi!,
This is my Cool program
run this program, you mast like

Have do you do!!!
I sent this program, special for you.
Take the atachment and run!!!

Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines. During installation the worm creates the following files in the Windows directory:
DC220.EXE - worm copy
BIOS.EXE - one more worm copy
CSOLP.EXE - worm component
Cosa registers the following files in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
rundll = %WindowsDir%DC220.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
rundll32 = %WindowsDir%csolp.exe
The worm also creates and runs a decoy program:
Program FilesCommon FilesRASKR.EXE
A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:
syssend
sysmai
sysem
Backdoor
The backdoor routine enables remote operation of an infected computer. It also reports disk and file information, creates, deletes and executes files, sends master files from the infected computer to the "master" comptuer, looks for password files (including WebMoney files) and sends them as well to the "master" computer with remote operation access. Files affected by the backdoor routine:
*.kwm
*.mag
*.pwl
*.pwm
*R³Á??*.txt
*pass*.txt
*? ÁR'³*.txt
*R³ Á??*.exl
*R³Á??*.exl
*pass*.exl
*? ÁR'³*.exl

The key-spy routine logs all keys pressed on the keyboard and sends this information to the "master" computer with remote access.

Home