Virus Database

Worm.Sadmind

Description Worm.Sadmind

Text written by Costin Raiu, Kaspersky Labs, Romania
This is an Internet-worm that replicates between Sun Sparc computers running the Solaris/SunOS operating system, and attacks Microsoft IIS v4 and 5 Web servers. Cracked Micrsoft IIS servers will have their start page replaced with one that appears as the following:

The worm was apparently written by someone with strong pro-Chinese views: "PoizonBOx" is a group of hackers that attacks and defaces US Web sites over the Internet.
Technical To replicate, the worm makes use of an old vulnerability in the "/usr/sbin/sadmind" system administration daemon. Sun Microsystems issued an alert regarding this vulnerability about 2 years ago, for details check:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba
The worm will generate random IP address classes of the form "a.b", and check all the possible remaining combinations, eg: a.b.0.1, a.b.0.2, all, a.b.253.1, a.b.253.2, ..., a.b.254.254, a.b.254.255. Each address will be tested for a running "portmap" service, which is listening on port 111.
Whenever such a system is found, the worm will check whether it's also running the "sadmind" remote administration service, and if so, it will attempt to hack it. If the hack is successful, the worm will install a root shell on port 600 of the remote machine, create a ".rhosts" file in root's directory containing "+ +" - basically nullifying the authentication via rlogin/rsh/etc. with that machine - copy itself to the target system in the "/dev/cuc" directory, modify the start-up files so the worm will be launched each time the system is started, and will also run the worm code itself.
The worm code on the hacked machine will create a directory named "/dev/cub" that will be used to store the worm logs and inter-process communication files, download a copy of Perl 5.005 from a Chinese FTP site ("bak-px.online.sh.cn"), install it - as the worm itself contains a couple of parts written in Perl - then it will attempt to further propagate the infection, and hack random IIS servers over the Internet. The IIS-hacking routine exploits are described in the Microsoft Security Bulletin 01-023, as you can read at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
Using this bug, the worm will overwrite the index page of the server with one containing the messages aforementioned. (see the picture).
After infecting 2000 MS IIS servers, the worm will also replace all local "index.html" files from the Solaris system with one that appears the same as those infiltrated in the IIS servers.
Worm.SadMind.b
Version "Worm.SadMind.b" of the worm is functionally identical to the .A version, except for a couple of executable utilities that seem to have been recompiled.
Worm.SadMind.c
Version "Worm.SadMind.c" of the worm differs from the other versions by the fact that the file "index.html" that is used to overwrite local "index.html" files on Solaris systems after cracking 2000 IIS servers was changed. Hacked IIS servers will appear the same way as those hacked by version .A and .B.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Jaja

Description Macro.Word.Jaja

This is an encrypted macro virus. It contains 10 macros:
AutoOpen, FileOpen, FileSaveAs, FilePrint, ToolsMacro, FileTemplates,
FormatStyle, ViewToolbars, ToolsCustomize, VictorWidjaja

When an infected document is opened (AutoOpen), the virus infects the global macros area. Then it writes itself to documents that are opened (FileOpen) or saved with a new name (FileSaveAs). The ToolsMacro and FileTemplates are the stealth macros - they disable the corresponding Word menus.
On printing a document (FilePrint) the virus erases its contents and inserts the message:
+------------------------------------------------------------+
| Welcome to Victor Widjaja Virus |
|Your computer has been totally infected by ''Victor Widja|
| ja'' WordMacro Virus |
| Don't go anywhere !!! |
| I'll be back soon to DESTROY your disk data !! |
| Copyright 1996 Virus Research Labs. |
+------------------------------------------------------------+

Then the virus prints the message to the status line:
[ Welcome to Victor Widjaja `WordMacro' Virus - Programmed & Created
by Victor Widjaja the HACKER - Virus Research Labolatory ]

On November 1st the virus prints the same message, then displays the MessageBox:
Attention
Victor Widjaja lives in your PC now

The virus then checks the system timer, and if current seconds counter is equal to 1 or 11 the virus calls the disk erasing function:
Format C: /U /C /S /AUTOTEST > NUL

Macro.Word.Jakutsk

Description Macro.Word.Jakutsk

This is a harmless macro virus. It contains two macros that have different names in infected documents and NORMAL.DOT:
Documents NORMAL.DOT
CopySaveAs FileSaveAs
AutoOpen CopyOpen

The virus infects the system on opening an infected document and writes itself to documents that are saved with new name (FileSaveAs). The virus contains commented string:
/////////////////////////////////
/Made in Jakutsk by me /
/That's engoy to prove my power /
/Say by to you files /
/ :) /
/////////////////////////////////

Home