Virus Database

Boys.500

Description Boys.500

It is a non memory resident harmless parasitic virus. It infects by standard way .COM-files of current directory. While getting infection the file's attributes sets to READ-ONLY. The virus sets the attribute of some .EXE-files to SYSTEM. It contains the text "The good and the bad boy".

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Roach.a

Description I-Worm.Roach.a

Analysis: Alexey Podrezov, F-Secure Corp., July 2001
This is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses the search engine of a Web server to find a victim's e-mail addresses. The worm is disguised as 'E-fortune cookie generator'. This worm has a few serious bugs that in some cases don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.
When started, the worm first obtains API addresses of certain functions from KERNEL32.DLL, WSOCK32.DLL, WININET.DLL, USER32.DLL, MPR.DLL, ADVAPI32.DLL, IMAGEHLP.DLL, and SETUPAPI.DLL. Many of the functions are not used in this worm version, but might be added in the future. The the worm could gain the ability to spread in Windows networks, infect files, intercept EXE file starting, use miltiple IRC servers and so on.
First, the worm checks what file is started. If the file name ends with 'okie' (cookie.exe), the worm generates a random number and shows a messagebox with a text that corresponds to this number (see cookie texts below). This is done to disguise worm installation to a system. If the worm is started from a file with a name that ends in 'om32' (dccom32.exe), the worm sets a flag that it is already installed and doesn't show any messageboxes.
The worm then accesses the WindowsSystem directory and drops a short ZIP archive from inside its body as EGGCASE.ATT. This archive has only a FILE_ID.DIZ file with the following text:
FortuneCookie 32 - Version 1.0
* FREEWARE *
DESCRIPTION:
FortuneCookie 32 is a Windows 32 version of the classical fortune cookies you can get at some restaurants. It's very simple double clicking on the cookie.exe file will bring up a fortune cookie.
This program is freeware so feel free to send out a word of wisdom to your friends!
If the worm fails to drop this archive to the WindowsSystem directory, it tries to drop it into a temporary folder. After this, the worm looks for EGGCASE*.ATT files and immediately finds a dropped EGGCASE.ATT file. The worm then copies its file as DCCOM32.EXE into Temp and WindowsSystem folders and creates a start-up key with the name 'dcomdriver' for one of the dropped files in the default Run keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
Then the worm adds its file as COOKIE.EXE to the ZIP archive (eggcase.att) that it previously dropped. The worm does not use any ZIPping utility, it just adds its file 'as is' to the end of the archive, and corrects and adds necessary data to make an archive valid. This archive will be used by the worm as an attachment to infected messages.
Following this, the worm waits for some time and then verifies Internet connection state. If there's no connection, the worm waits and tries again. If a valid connection is found, the worm creates an additional 2 threads and puts its main thread into an infinite wait loop. The first thread is the worm spreading thread, the second thread is a backdoor thread that uses IRC.
When thread 1 is started, it waits for some time, checks Internet connection state and if a valid connection is found, it creates 3 sockets, resolves a host name for 'pop.hotpop.com', 'diemen.nl.eu.undernet.org' (IRC server - there's one more server name in the worm's body, but it's never used) and 'wwp.icq.com' (ICQ Personal Communication Center) servers. The worm then reads the settings from Microsoft Internet Account Manager, or if it is not available, from Outlook OMI Account Manager. It obtains information about a default account and tries to connect to a user's SMTP server. If the server is not available, the worm tries to use the 'mail.hotmail.com' server. If a user's SMTP server is accessible, the worm still changes it to 'smtp.hotpop.com' and then changes a user's e-mail address to 'fearandwonder@hotpop.com'. These changes are in effect only when the worm is active, as it doesn't modify these settings in the Registry.
Then the worm obtains the Windows registered user name from the Registry. If there's no user name there, the worm generates a random number and selects the name corresponding to this number from its internal table:
dark
evil
lost
cool
kewl
fool
hack
dead
head
bozz
This name will be used in the 'From:' field of an infected e-mail that the worm sends itself out from. Then the worm generates 3 more random numbers and fills a search form that will be used to search for e-mail addresses on a Web server. The form appears as follows:
POST /scripts/srch.dll HTTP/1.1
User-Agent: Mozilla/4.73 (Windows 95; U) Opera 4.02 [en]
Host: wwp.icq.com
Accept: text/html, image/png, image/jpeg, image/gif, image/x-xbitmap, image/vnd.wap.wbmp;level=0, */*
Accept-Language: en
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.icq.com/whitepages/search.html
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Content-length: 212
FirstName=&LastName=&NickName=&Email=&AgeRange=0-0&Gender=0&Lang=12&City=&State=&Country=0&
Occupation=0&Dept=&Company=&PastInfo=0&PastInfoText=&Interest=0&InterestText=&SubInterest=&Group=0
&GroupText=&SEND=Search
Finally the worm connects to a Web server and sends the form there. When it gets a reply, it looks for e-mail address and then sends an infected e-mail to these addresses. The worm uses Microsoft anonymous SMTP server to send e-mails. The worm randomly composes a sender's name from 2 tables and adds '@hotmail.com' to the end. The first table is shown above, the second table is:
trooper
travler
nemonic
_maniac
_master
_avatar
_jesuzz
riddler
_satan_
lucifer
The subject line if an infected e-mail is 'Subject: Fw:' followed by one of the randomly selected cookie texts (see table below). The recepient info is 'To: '. The worm uses a EGGCASE.ATT archive (with FILE_ID.DIZ and its file COOKIE.EXE) as an attachment. The attachment name is FORTUNE.ZIP and it is sent MIME-encoded. The worm also sends the second attachment - a body of itself as SETUP.EXE file, hoping that a user will run at least one of the attachments. The message body is in HTML format, and it appears as follows (black text on bright blue background):
SMACK!!!

You have been hit
This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!
At the end of the infected e-mail there is a '--nymph--' text.
When thread 2 is started, it generates a nick from 'nymph' plus a random 4-digit number ('nymph1234' for example), connects to the 'diemen.nl.eu.undernet.org' IRC server and sets an invisible mode for a user with the generated nick. Then the worm joins #nymph channel and sends a private message:
[I-Worm-Nymph v.1.1] by Asm/iKX
Then the worm enters the loop that handles incoming IRC messages. The worm responds to 'PING', 'JOIN', 'INVI', 'PRIV' and '319' messages. The worm can join a channel when instructed by joining and invitation commands, and enters a private chat session on PRIV command. In the private channel session, the worm has backdoor capabilities. It responds to 3 messages: 'msgx' - quit, and 'msgi' and obtains information about the worm version and 'msgu', and uploads and runs a file. When a 'msgu' message is received, the worm creates an additional thread that allows for the downloading and running of a specified file on an infected computer. The file is downloaded with a random name into a Temp folder and is activated by the worm.
The worm has the following cookie texts:
it is predictable, but I wouldn't like to predict it myself. - C. Lawson
100,000 lemmings can't be wrong.
A friend in need is a pain in the ass.
A man is as old as he feels. But never as important.
A man is as old as the woman he feels.
Always be sincere - Even when you don't mean it.
Always tell her she's pretty, especially when she isn't.
Anyone who can see through a woman is missing a lot.
Avoid life - It'll kill you in the end.
Do to the other fellow as he would do unto you. But for God's sake do it first!
Experience, the name given by men to their mistakes.
Get stoned - Drink liquid cement.
Happiness can't buy money.
If a woman wants to learn to drive, don't stand in her way.
Join the army, travel the world, meet interesting people and shoot them.
Just because you're paranoid it doesn't mean they aren't out to get you.
Life is a sexually transmitted disease.
Love Thy Neighbour - But don't get caught.
Money can't buy friends but it can buy a better class of enemy. - Spike Milligan.
Never put off till tomorrow what you can avoid altogether.
Racial prejudice is a pigment of the imagination
Smoking - think of it as evolution in action.
Sudden prayers make God jump.
When faced with two evils I like to do the one I've never tried before. - Mae West
Live fast, Die young, Leave a good looking corpse.
A Wise Man can see more from the bottom of a well than a Fool can see from the top of a mountain.
Walk softly but carry a big stick.
TO DO IS TO BE - Socrates%TO BE IS TO DO - Sartre%DO BE DO BE DO - Sinatra
It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt. - Samual Clemmens
What you can not avoid, Welcome.
If you can't tie good knotsall tie many.
Anything free is worth what you pay for it.
Two wrongs do not make a right; it usually takes three or more.
The worm also has the following text strings that are never displayed:
[I-Worm.Nymph@MM v.1.1] by Asmodeus iKX
creech, creech... we will infest.
Info - this is a stripped version of W32/Roach,
it will pave way for its larger cousin.
Greets : Lifewire/iKX, BillyBel/iKX, StarZero/iKX
SimpelSimon, Ultras, Vecna, T-2000, and the rest
of the ikx family

I-Worm.Ronoper.a

Description I-Worm.Ronoper.a
Ronoper is a worm virus spreading via the Internet as an attachment to infected emails. The worm has a primitive backdoor routine and is able to download and install other trojan files.
The worm itself is a Windows PE EXE file about 16KB in length when compressed by UPX, the decompressed size is approx. 50KB; it is written in Delphi.
Infected messages have the following attributes:
Subject: Re: Body: I Hope you reply me. Thank you very much for reading my msg Bye. Attach: WinCfg32.exe
The worm is activated from infected emails only when a user clicks on the attached file. Once run the worm installs itself to the system and runs its spreading routine and backdoor.
Installing
During installation the worm copies itself to Windows directory under the name "WinCfg32.exe" and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WinCfg32 = %WinDir%WinCfg32.exe
Spreading Backdoor
The backdoor routine connects to a machine (located somewhere in Turkey) and listens for its "master's" instructions. Such instructions can include:

- reports system information
- reboots machine
- joins "ronop" IRC channel

Other
The 'Ronoper' worm downloads an EXE file from the http://www.kamerali.com site, stores it to TEMP directory under the name "security.exe" and executes it.
By doing this the worm is able to install trojan programs onto infected machines.

Home