Virus Database

Worm.Win32.Apart

Description Worm.Win32.Apart
Apart is a network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the version the worm is either 43KB or 56KB in length and is compressed by TeLock or UPX (the decompressed size is about 90KB).
"Apart.b" was posted to IRC channels in the middle of August 2002 as a
"NEW NUDE BRITNEY SPEARS SCREEN SAVER!"
Installing
While installing the worm copies itself to the Windows system directory under the "kernel32.dll*" name and sets "hidden" attribute for this file (here and below the * (star) character is A0h in hex). The following file is then registered in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel = %SystemDir%KERNEL32.DLL*

The worm also creates the
HKCR.dll*
key associated with the "exefile" file type. Thus .DLL* files will be executed as original .EXE files.
The worm then removes its original file (from there it was started), opensINet connection and "listens" to its master.
Spreading
By its "master's" request (see "Backdoor" below) the worm spreads through local networks. It opens network drives that are opened for full access and copies itself to the WINDOWSStart MenuProgramsStartUp directory under the name:
Windows.exe
Backdoor
The backdoor routine allows a remote "master" (person controlling the virus program) to perform following actions:
send detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size,Windows version e.t.c.
steals cached passwords, MSN account, password and .NET Messenger information as well.
Apart also performs the following routines:

spread over local network
reveive file or download file from Web site
execute a file
perform DoS attack on remote computer
ping a remote computer
scan ports and IP addresses
redirect PC ports
send spam messages through AOL Instant Messenger and to a mIRC channel
Other
The worm contains the following "copyright" text string:
Apartheid v.2.0

Check other viruses! Be aware! Use Antiviral Software

Jam.1295

Description Jam.1295

This is a benign memory resident parasitic virus. Before installing a memory resident, the virus disinfects the host file. It then hooks INT 21h, and writes itself to the end of .EXE files that are terminated (the virus gets the file name from Program Segment Prefix). If the date and month correspond in number(January 1st, February 2nd,all), the virus , depending on the system time, decrypts and displays the following message, beeps through the PC speaker and halts the system:
Terrorystyczna organizacja zwolennikow dzemu
truskawkowego przejela kontrole nad twoim komputerem.
Dzem truskawkowy ponad wszystko.
"Jam" written by Jack Rose. 21 April 97.

The virus also contains encrypted text partly corrupted by program stack:
Przepraszam. Pisanie wirusow traktuje jako wyzwanie intelektualne.

James.516

Description James.516

It is a harmless memory resident parasitic virus. It copies itself to the Interrupt Vectors Table, hooks INT 21h and writes itself to the end of .COM files that are executed, opened or renamed. This virus contains the text:
James Bond is Alive!

Home