Virus Database

Worm.P2P.Tanked.a

Description Worm.P2P.Tanked.a
Tanked is a worm virus spreading via the Kazaa file sharing network.
The worm has a powerful backdoor routine that connects to an IRC channel and listens to commands from its "master".
The worm itself is a Windows PE EXE file about 100KB in length and written in Microsoft Visual C++. The worm is compressed by the UPX file compression utility and then encrypted with the "Krypton" Win EXE file encryptor.
When the infected file is run, the installation routine gains control.
Installation
While installing the worm copies itself to the Windows system directory under different names (see below) and registers the file in two system registry auto-run keys.
Worm-copy names are:

"Tanked.11": "system32.exe"
"Tanked.13": "winsys.exe"
"Tanked.14": "cmd32.exe"

The registry keys are:

"Tanked.11":

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SystemSAS = system32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
SystemSAS = system32.exe

"Tanked.13":

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WinSys = winsys.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
WinSys = winsys.exe

"Tanked.14":

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
CMD = cmd32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
CMD = cmd32.exe


Spreading
The worm copies itself to the Kazaa directory with following names:
'Battlefield1942_bloodpatch.exe'
'Unreal2_bloodpatch.exe'
'UT2003_bloodpatch.exe'
'AquaNox2 Crack.exe'
'NBA2003_crack.exe'
'FIFA2003 crack.exe'
'C&C Generals_crack.exe'
'UT2003_keygen.exe'
'UT2003_no cd (crack).exe'
'Age of Empires 2 crack.exe'
'Anno 1503_crack.exe'
'C&C Renegade_crack.exe'
'Diablo 2 Crack.exe'
'Gothic 2 licence.exe'
'GTA 3 Crack.exe'
'GTA 3 patch (no cd).exe'
'Hitman_2_no_cd_crack.exe'
'Mafia_crack.exe'
'Neverwinter_Nights_licence.exe'
'NHL 2003 crack.exe'
'WarCraft_3_crack.exe'
'Splinter_Cell_Crack.exe'
'Battlefield1942_keygen.exe'
'Winamp 3.8.exe'
'MediaPlayer Update.exe'
'UT2003_patch.exe'
'ACDSee 5.5.exe'
'DivX Video Bundle 6.5.exe'
'Global DiVX Player 3.0.exe'
'QuickTime_Pro_Crack.exe'
'KaZaA Lite (New).exe'
'iMesh 3.7b (beta).exe'
'iMesh 3.6.exe'
'KaZaA Hack 2.5.0.exe'
'DirectDVD 5.0.exe'
'Flash MX crack (trial).exe'
'Ad-aware 6.5.exe'
'WinZip 9.0b.exe'
'SmartFTP 2.0.0.exe' 'ICQ Lite (new).exe'
'ICQ Pro 2003b (new beta).exe'
'ICQ Pro 2003a.exe'
'AOL Instant Messenger.exe'
'Download Accelerator Plus 6.1.exe'
'Trillian 0.85 (free).exe'
'MSN Messenger 5.2.exe'
'Network Cable e ADSL Speed 2.0.5.exe'
'mIRC 6.40.exe'
'GetRight 5.0a.exe'
'Pop-Up Stopper 3.5.exe'
'Yahoo Messenger 6.0.exe'
'KaZaA Speedup 3.6.exe'
'Nero Burning ROM crack.exe'
'WindowBlinds 4.0.exe'
'Animated Screen 7.0b.exe'
'Living Waterfalls 1.3.exe'
'Matrix Screensaver 1.5.exe'
'Popup Defender 6.5.exe'
'Space Invaders 1978.exe'
'SmartRipper v2.7.exe'
'TweakAll 3.8.exe'
'DVD Copy Plus v5.0.exe'
'Serials 2003 v.8.0 Full.exe'
'Zelda Classic 2.00.exe'
'Need 4 Speed crack.exe'
'Links 2003 Golf game (crack).exe'
'Netfast 1.8.exe'
'Guitar Chords Library 5.5.exe'
'DVD Region-Free 2.3.exe'
'Cool Edit Pro v2.55.exe'
'Coffee Cup Free HTML 7.0b.exe'
'Clone CD 5.0.0.3.exe'
'Clone CD 5.0.0.3 (crack).exe'
'Nimo CodecPack (new) 8.0.exe'
'Business Card Designer Plus 7.9.exe'
'Steinberg_WaveLab_5_crack.exe'
'Hot Babes XXX Screen Saver.exe'
'FreeRAM XP Pro 1.9.exe'
'IrfanView 4.5.exe'
'Audiograbber 2.05.exe'
'WinOnCD 4 PE_crack.exe'
'Final Fantasy VII XP Patch 1.5.exe'
'BabeFest 2003 ScreenSaver 1.5.exe'
'PalTalk 5.01b.exe'
'DirectX Buster (all versions).exe'
'DirectX InfoTool.exe'
'Unreal2_crack.exe'
'FlashGet 1.5.exe'
'Babylon 3.50b reg_crack.exe'
'mp3Trim PRO 2.5.exe'

Other
'Tanked' has "copyright" text strings:

"Tanked.11":

T~Drone.11
t69 [sd]v0.5b TankEd.11
[sd]v0.5b TankEd.11 by [sd]

"Tanked.13":

T~Drone.13
t69 [sd]v0.5b TankEd.13
[sd]v0.5b TankEd.13 by [sd]

"Tanked.14":

T~Drone.14
t69 [sd]v0.5b TankEd.14
[sd]v0.5b TankEd.14 by [sd]

Check other viruses! Be aware! Use Antiviral Software

Leonardo.2085

Description Leonardo.2085

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus deletes the anti-virus databases: ANTI-VIR.DAT, FINGERP.VVF, FILES.VVL, CHKLIST.MS, *.CRC. Depending on the system time the virus displays the message:
This is Leonardo - another virus Ninja Turtle
Press any keyall.

The virus also contains the text:
Origin :Slovakia (not Hungaria or Austria)

Leproso.1221

Description Leproso.1221

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the beginning of .COM files (except COMMAND.COM) are executed or opened. While infecting the virus creates a temporary file. Depending on the system date it displays the message:
Felicitaciones su máquina esta infectada por el virus LEPROSO creado por
J.P.G., hoy es mi cumpleaños y lo voy a festejar formateando su rígido!!!
Byeall(Vamos Ñull que con Diego somos campeones)
CopyRight (C) 1993 hasta 2000, J.P.G., Rosario, Argentina

and then halts PC. The virus also contains the text strings:
Diego_es.NOB
MOC.DNAMMOC

Home