Virus Database

Worm.Shorm

Description Worm.Shorm

This is a network worm spreading over local and global networks. To spread, the worm connects to remote computers, and if the disk is shared for full access, the worm copies itself there to the Windows startup directory (if it exists).
The worm also has password stealing ability. It obtains RAS information (user mame, phone numbers, passwords), as well as cached passwords and sends them to two e-mail the addresses of krenx@mail.ru and winam@mail.ru.
The worm itself is a Win32 application (PE EXE file) written in Delphi and compressed with ASpach PE EXE compression utility. The worm body contains the following text:
SharedWorm v1.2
When the worm is run, it copies itself to the Windows system directory using three names: MSTASK.EXE, MSGSRV16.EXE, TAPI32.EXE, and registers these files in the following Registry auto-run keys:
HKCU\SOFTWAREMicrosoftWindowsCurrentVersionRun
HKLM\SOFTWAREMicrosoftWindowsCurrentVersionRun
HKLM\SOFTWAREMicrosoftWindowsCurrentVersionRunServices
So, the worm is run each time Windows is restarted.
The worm then connects to Web page "http://krenx.newmail.ru/ip.txt", and reads its contents. That page contains a list of subnet IP addresses. There are three numbers in the address instead of four IP address numbers, for example:
194.135.175.
213.24.179.
195.209.191.
213.59.57.
The worm then randomly selects one of these subnet "masks", and tries to connect to each machine in the subnet. If connection succeeds, the worm tries to access that computer hard drive disk files, then locates the name of the Windows directory on that computer and copies itself to there with the following name:
Start MenuProgramsStartUpAVPMonitor.exe
So, the worm copy is placed to the Windows auti-start directory, and is activated upon the next Windows restart.
The worm also is able to update itself from an Internet site. It obtains the Internet file "http://krenx.newmail.ru/win.exe", copies it to the local machine and runs it.

Check other viruses! Be aware! Use Antiviral Software

BAT.Batalia2

Description BAT.Batalia2

This is the harmless non-memory resident BAT infector. It searchs for BAT files in the current directory, then writes itself to the end of the file. While infecting it creates temporary files and write necessary data to them.
The virus contains the following text:
BATalia2

BAT.Batalia3

Description BAT.Batalia3

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.
The virus contains two parts of code and data. The first part (the header) contains DOS commands:
@echo off
rem YYY
arj x %0 -g""bÑpß >nul
ren p Int
call i
ren Int a.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:
P, BATALIA3
The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file.
Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.
While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Home