Virus Database

Worm.P2P.Kazmor.a

Description Worm.P2P.Kazmor.a

Kazmor is a P2P (peer to peer) and network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the specific version the worm's size varies, however it is typically about 52KB or 56KB when it is compressed by the TeLock utility (the decompressed size is about 80-90KB).
This worm is very closely related to another worm - Worm.Win32.Apart.
Installing
While installing the Kazmor worm copies itself to the Windows system directory under either of these names:
"Kazmor.a": Windows.exe
"Kazmor.b": KERNEL32.VMM

It then sets "hidden" attributes for this file and registers it in the system registry auto-run key:
"Kazmor.a":
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Windows = %WindowsDir%Windows.exe
"Kazmor.b":
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Windows Kernel = %WindowsDir%KERNEL32.VMM
The Kazmor.a worm also hides itself in the system. It installs its own 'hooks' on Win32 API FindProcess/Modules functions and "skips" its process on these calls. Thus the worm's process is not visible in the active tasks list.
The Kazmor.b worm also creates the HKCR.vmm key that is associated with the "exefile" file type. Thus '.VMM' files will be executed as original '.EXE' files.
Spreading
At the request of the worm's master's (see "Backdoor" below) the worm spreads over a local network or infects P2P shared folders.
Local network infection: the Kazmor worm opens network drives that are available for full access and copies itself to the WINDOWSStart MenuProgramsStartUp directory under the name "REAL PLAYER.EXE".
P2P folders infection: Kazmor copies itself to the Kazaa and Morpheus folders with following names:
'preteen snuff sex rape with a stick hardcore.exe'
'violent preteen gang bang illegal.exe'
'teen tied up and raped.exe'
'teen raped in basement with dildo by 2 men.exe'
'14 year old on beach.exe'
'15 year old on beach.exe'
'16 year old on beach.exe'
'preteen sucking huge cock illegal.exe'
'illegal preteen porn anal fisting.exe'
'fetish bondage preteen porno.exe'
'jenna jameson sex scene huge dick blowjob.exe'
'nikki nova sex scene huge dick blowjob.exe'
'jenna jameson - built for speed.exe'
'cute girl giving head.exe'
'jenna jameson - shower scene.exe'
'jenna jameson - xxx nurse scene.exe'
'chubby girl fucked from all angles xxx.exe'
'[tmd]star wars episode 2 - attack of the clones [1of1].exe'
'[tmd]sum of all fears [1of1].exe'
'kill osama bin laden game.exe'
'caught on camera - man hit by car - faces of death.exe'
'CKY2K - Bam Margera.exe'
'CKY3 - Bam Margera.exe'
'chubby girl bukkake gang banged sucking cock.exe'
'brutal preteen porn xxx.exe'
'illegal porno - 15 year old raped by two men on boat.exe'
'windows xp key generator and cracker.exe'
'daniel pearl execution video gruesome and hardcore.exe'
'winzip key generator.exe'
'cat attacks child.exe'
'evil pranksters - light church on fire.exe'
'jesus game - really fun.exe'
'divx codec installer.exe'
'hot girl on the beach sucking cock and fucking guy.exe'
'devin in elevator sex.exe'
'microsoft office xp cracked.exe'
'microsoft visual studio 6.0.exe'
'microsoft .NET.exe'
'[DiVX] Lord of the rings.exe'
'[DiVX] Harry Potter and the sorcerors stone.exe'
'macromedia flash 5.0.exe'
'macromedia dreamweaver 4.0.exe'
'nuke afghanistan game.exe'
'Britney Spears Nude Cum.exe'
'Christina Agulera Nude Cum.exe'
'Christina Ricci Nude Cum.exe'
'AIM Password Stealer.exe'
'AIM Account Stealer.exe'
'AIM Account Hacker.exe'
'AIM Flooder.exe'
'MSN Password Hacker and Stealer.exe'
'MSN Flooder.exe'
'Hacking Tool Collection.exe'
'WinZip.exe'
'Windows XP.exe'
'Halflife Crack.exe.exe'
'Halflife Key Generator.exe.exe'
'Counterstrike Key Generator.exe.exe'
'Halflife and Counterstrike serial database.exe'
'DSL Modem Uncapper.exe'
'Cable Modem Uncapper.exe'
'T1 Modem Uncapper.exe'
'T3 Modem Uncapper.exe'
'DivX Install.exe'
'Two girls - Blonde and Brunette - Giving head.exe'
'How to hack.exe'
'How to hack websites.exe'
'Preteen Rape Sex Illegal - Jenny - 13 Years old.exe'
'Lolita preteen sex.exe'
'Bondage Fetish Foot Cum.exe'
'Blonde and Japanese girl bukkake.exe'
'Kill Osama Bin Ladin game.exe'
'Preteen lesbians.exe'
'Choke on cum (sodomy, rape).exe'
'Halflife and Counterstrike Cheating Death Hack!!!.exe'
'WebCam Voyeur Spy.exe.exe'
'FBI Spy Program.exe'
'XXX Porn Passwords.exe'
'Jenna Jameson Nude Gang Bang Forced Cum Blowjob.exe'
'CKY2K - Bam Margera Toy Machine.exe'
'CKY3 - Bam Margera World Industries Alien Workshop.exe'
'Chip and dale.exe'
'14 Year old webcam.exe
' '15 year old webcam.exe'
'16 year old webcam.exe'
'12 year old forced rape cum.exe'
'illgal incest preteen porn cum.exe'
'girls gone wild.exe'
'debby does dallas.exe'
'Devon - Elevator Scene.exe
' 'I Deep Throat - Kelly.exe'
'Another bang bus victim forced rape sex cum.exe'
'ZoneAlarm Firewall.exe'
'WinZip Key Generator and Crack.exe'
'How to be a terrorist - anarchist cookbook.exe'
'Government Secrets.exe'
'Nero Burning ROM [Cracked].exe'
'Internet and Computer Speed Booster.exe'
'Teen Violent Forced Gangbang.exe'
'PS1 Boot Disc.exe'
'Sony Play station boot disc.exe'
'PS2 Boot Disc.exe'
'Borland Delphi 5 Key Generator.exe'
'Borland Delphi 6 Key Generator.exe'

Backdoor
The backdoor routine allows a remote master to perform the following actions on victim computers:
send out detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size, Windows version e.t.c.
steal cached passwords, MSN account login and password, as well as .NET Messenger information.
Kazmor also performs the following routines, it:
- spreads over local networks and to P2P networks
- receives files or download files from a Web site
- executes a file
- performs DoS attacks on remote computers
- pings a remote computer
- scans ports and IP addresses
- redirects PC ports
- sends spam messages through AOL Instant Messenger and to a mIRC channel

Other
The Kazmor worm contains the copyright text string:
Apartheid v.1.7 alpha copy. "50 Years later, you've still got an agenda, for world domination, but you better think again" - Vaginal Jesus.

Check other viruses! Be aware! Use Antiviral Software

Carriers.6580

Description Carriers.6580

It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files (except COMMAND.COM) that are accessed. The virus does not manifest itself in any way. It contains the text strings:
[Carriers] [Darkman/29A]

CarryOn.386

Description CarryOn.386

This is a dangerous nonmemory resident parasitic virus. It searches for COM files, then writes itself to the end of the file.
Starting from September, 22nd the virus reboots the computer.
The virus also contains the text strings:
*.com
Inch High

Home