Worm.Netres.a
Description Worm.Netres.a
Netres is a dangerous worm virus that functions only under Win32 systems. The worm spreads over local networks and copies itself to shared network drives. Some versions of the worm also copy themselves to subdirectories on the local drive and to floppy disks in the A: drive.
There are at least ten different known versions of Netres. They are all Windows PE EXE files of about 380-400Kb in size (depending on the specific worm version) and written in Delphi.
Netres copies itself with different randomly selected names, some of them have many spaces before the ".exe" extension, while most of the names are in Russian:
AntiVP.exe
NetCheck.exe
Free pics.htm.exe
ðÏÓÍÏÔÒÉ ÜÔÏ.jpg.exe
ôÏ ÞÔÏ ÏÂÅÝÁÌÁ.xls.exe
÷ÓÅÇÄÁ Ô×ÏÑ.doc.exe
éÇÒÕÛËÁ.exe
îÅ ÚÁÐÕÓËÁÔØ!!!.exe
ðÒÏÓÔÏ ËÒÁÓÉ×ÁÑ ËÁÒÔÉÎËÁ.jpg.exe
íÕÓÏÒ.doc.exe
ó ÌÀÂÏ×ØÀ.jpg.exe
Other names are also used that are randomly constructed from three parts - Name1 + Ext1 + ".exe":
document + .exe + .exe
Doom .jpg
Heretic .bat
hot pics .xls
track01 .doc
Delphi .log
C++ .txt
Pascal .mp3
Parus .wav
1SB-Win
ìÀÂÉÍÏÊ
ÏÂÅÝÁÎÎÏÅ
ÓÅËÒÅÔ
ËÉÓËÁ
äÏËÕÍÅÎÔ
ëÁÒÔÁ
for example:
C++.exe.exe
C++.jpg .exe
Doom.doc .exe
Heretic.mp3 .exe
Parus.exe .exe
Pascal.txt .exe
track01.log .exe
äÏËÕÍÅÎÔ.log .exe
ìÀÂÉÍÏÊ.doc .exe
ÓÅËÒÅÔ.log .exe
ÓÅËÒÅÔ.mp3 .exe
Netres moves all files from the Windows SYSTEM directory to a new "restop" directory:
c:windowssystem*.* -> c:windows
estop
The worm also creates a log file and writes to this file a report logging its actions. The name of the log file depends on the specific worm version.
Possible names are:
C:v1.log C:v3.log
Check other viruses! Be aware! Use Antiviral Software
Screen_II.1387
Description Screen_II.1387
This is a very dangerous memory resident parasitic virus. It hooks INT10h and 21h, and writes itself to the end of EXE files that are executed or opened. Depending on the system date and their counters, the virus "shifts" the screen.
It also hooks INT 13h, and starting from 10th of each month, corrupts some files while writing to them. On the same days, this virus also writes a Trojan program to the end of infected EXE files instead of infecting them. When executed, this program erases the hard drive sectors.
ScreenMixer.1072
Description ScreenMixer.1072
It is not a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or accessed by FCB FindFirst/Next DOS calls (DIR command). Depending on the system timer the virus mixes the letters on the screen.
|