Virus Database

Worm.P2P.Gotorm

Description Worm.P2P.Gotorm
This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes.


Installation
During installation the worm produces the following false error message concerning the archive extraction:

Subsequently it writes itself into the Windows directory under the following name:
mrowyekdc.exe
This installation of the worm is then registered in the auto run key within the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SVCHOST = %WindowsDir%mrowyekdc.exe


Spreading
The worm creates a folder named "User Files" in the Windows directory and writes itself into it under the following names:
Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Jamella's Diablo 2 hero editor.exe
Warcraft 3 map hack.exe
Warcraft 3 stat hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
The Frozen Throne map hack.exe
Counterstrike hacks.exe
Counterstrike aim hack.exe
This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa:
HKCUSoftwareKazaaLocalContent
dir0 = 012345:%Windir%User Files
DisableSharing = "0
As a result, the files contained in this folder become available for download to other users of P2P networks.


Spy function
The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm's "owner" using an SMTP-server connection.


Miscellaneous
The worm checks the system's date and time. If the month of the worm's activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.

Check other viruses! Be aware! Use Antiviral Software

DAN.WMA.451

Description DAN.WMA.451

It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive and returns to DOS. The virus stays memory resident while loading from infected disk (the virus also infects the MBR while loading from infected floppy). The virus hooks INT 13h, waits for DOS loading, then hooks INT 21h and writes itself to the end of COM files that are executed. While accessing to floppy disks the virus overwrites the boot sector. The virus has the bugs, and can halt the system while infecting a floppy disk. The virus contains the text string:
wma

Danny.872

Description Danny.872

It is not a dangerous memory resident parasitic virus. It hooks INT 8, 21h and writes itself to the end of .COM files (except COMMAND.COM) that are executed. If the system date's year is less than 1992, the virus decrypts and displays the message and then halts the computer:
Invalid date. System halted.

On October 17th the virus depending on its internal counter decrypts and displays the message:
Today is Danny's birthday! She is now ?? years old.
Press any key

where 'xx' is a number: current year minus 1973.
The virus also contains the text strings:
[Uni}amp] virus 1992
command.com

Home