Virus Database

Worm.Win32.Cycle.a

Description Worm.Win32.Cycle.a

Cycle is an Internet worm that exploits the LSASS vulnerability in MS Windows described in MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004 - available at the above link.
Cycle affects computers running Windows 2000, Windows XP and windows Server 2003
The worm is written in C++ and is about 10 KB (packed by UPX).
Propagation
Upon launching Cycle copies itself into the Windows system folder under the name 'svchost.exe' and registers itself in the following autorun keys:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Generic Host Service" = "%windir%systemsvchost.exe"
The worm also create the file cyclone.txt in the Windows folder. This file contains the following letter to the global community from the authour of the worm:
----
Hi,
My name is Cyclone and I live in Iran,
and I want to speak with you about problems that we have in iran:
A.In Iran we don't have any kind of freedom, because we have islamic republic in iran:
1.we can't speak freely about regime, we can't speak even a little bit against them!!!
2.I have to be a moslem otherwise they don't care about me!
3.we CAN'T even wear the clothes and styles that we wants!
4.women MUST wear a cloth that no one can even see their hair!!!
5.they do not allow our national celebrations to be held, they beat us!!
6.Many moreall
B.The human rights is not implemented in Iran and there is no justice,
1.Lynch is very common in Iran. If you are against the regime then you may silently killed, or if there is a tribunal, you can't say anything, everyone works against you there.
2.1985-1990, the Islamic Republic of IRAN has been killed more than 10,000 Iranian youngs. that has been comfirmed by the documentations! This people killed without any tribunal or any proof.
3.there is a punishment that is used so much during this years, in this punishment, the person who must be killed stand in a hole then others attack him with stones, this will continue until he/she dead. there is some pictures and videos that shows this terrible torture!
4.Many more...
C.Misery and poverty grows in Iran, because the islamic republic leaders steal the money, they stolen the money that provided by selling oil, and then the people must die because they don't have enough money to even buy a bread!!!
D.Misery and poverty cause vice to grow, you see many young people in Iran using drugs and I think this is also a trick by the government to not allow us to arise against them!
E.Islamic republic gave Iran a bad name. before islamic republic we can travel anywhere in the world without any problem but now we have so much problems if we want to travel a foreign country, anyone think that we are terrorist. THE PEOPLE OF IRAN ARE NOT TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.
The people of Iran trying to arise, but failed to do. About one year ago, Iranian people try to say to the world that we don't need Islamic republic but the government and police beat the people who try to tell the truth and they killed some people.
You see that they don't even care about their own people, think what happen if they gain access to an ATOMIC BOMB!!! it's very dangerous for the world.
With all of this conditions and injustices, european governments still support islamic republic, they say that they just care about their own country!
and I want to show them our WRATH!
All of the european people are my friends and I never want to harm them, just government and the Politicians!
If you protest against iraq war and say why there must be a war against iraq, and if you do this for humanity, please do anything that you can do for helping iranian people.
at least make your country not to support islamic republic anymore, I'm deadly sure that if european countries do not support islamic republic. it will be destroyed after 3-6 months!
so please help!
I don't want to damage, I just want my country to grow, to improve!!! I have no other way to tell this words to world, sorry!!
---
The worm is built to fight against Internet worms Sasser and Lovesan. It creates unique identifiers in the RAM that match identifiers created by Sasser, thus preventing Sasser infections.
Jobaka3
Jobaka3l
JumpallsNlsTillt
SkynetSasserVersionWithPingFast
Cycle attempts to detect and stop the processes with names from the following list:
avserve.exe
avserve2.exe
msblast.exe
skynetave.exe
Cycle deploys an FTP server on TCP port 69, launches 4 IP address scans searching for potential victim machines and sends requests to TCP port 445. If a remote machine allows a connection Cycle sends the LSASS expoit which installs a cmd.exe command shell on the victim machine.
The worm then forwards commands to load and launch itself to the infected machine. The file containing the worm after being forwarded is named cyclone.exe..
Other
After infection, victim machines launch a notice about a LSASS service failiure and may attempt to reboot.
In addition, Cycle attempts to initiate DoS attack on irn.com and www.bbcnews.com everyday in May except Sundays.

Check other viruses! Be aware! Use Antiviral Software

MTZ.Pink.5081

Description MTZ.Pink.5081

This is a memory resident parasitic stealth polymorphic virus. On installation it checks DOS version and does not install itself if DOS is not 5.0 or higher. It is necessary because the virus uses high memory on installing. Then the virus checks the system memory for already installed virus copy by "Are you here?" INT 21h call with AX=3056h, BX=4D54h, CX=5A21h, DX=3933h ("MTZ!0V93"). The memory resident virus returns 4F4Bh ("OK") in AX register.
While allocating a block of the system memory the virus uses new (DOS 5.0 and higher) INT 21h functions. It allows the virus to install itself in Upper Memory Blocks if there is enough of free space. In another case or if there is not upper memory in use, the viruses install themselves to the top of conventional memory by ordinary manner.
The installation is continued by INT 21h tracing routine. This is quite complex routine that uses new tricks which never were used in other viruses. That routine is described below.
Then the virus hooks INT 21h and INT 13h vectors and returns control to host program. INT 21h is used for file infection and stealth, INT 13h are used for stealth only.
On DOS call Open File Handle the virus checks the file and disinfects the file if it is infected. This is stealth algorithm and it causes impossibility of detection of infected files without disinfection of system memory.
On DOS calls Execute (AH=4B00h) or Close File Handle (AH=3Dh) the virus calls infection routine. This routine checks the file name with extension and does not infect the files with the names TB*.EXE, SC*.EXE, F-*.EXE, VS*.EXE, CL*.EXE, CP*.EXE (TBAV, SCAN, F_PROT, VSHIELD and VSTOP, CLEAN, CPAV). The virus infects the files with .EXE extensions only. Then the virus calls the polymorphic routine and writes the decryptor and encrypted virus body at the file end.
While installing its TSR copy the virus searches for original address of INT 21h handler. That handler (together with other DOS interrupt handlers) is placed in DOS code and data area. To calculate INT 21h handler address the virus uses quite interesting tricks. As the beginning it gets segment address of DOS area by undocumented function of INT 2Fh, then it gets the segment address of the first memory block occupied by some program (usually that block contains system drivers are described in CONFIG.SYS file). That block follows the DOS area. So the virus "knows" the segment address of DOS system area and its length.
Then the virus allocates block of XMS memory, copies whole DOS code and data into this block, hooks INT 6 (Undefined Opcode), fills (erase!) DOS area by FFh byte and call INT 21h with function Get DOS Version.
The system should halt after such manipulations because any call to system functions should be passed to area that is erased by FFh bytes. Moreover, there are not assembler instruction that consists of bytes FFh,FFh. On execution of such code i286+ chips generate INT 6 (Undefined Opcode interrupt).
The virus uses that feature of Intel processor and hooks INT 6 call to intercept the moment of execution of bytes FFh,FFh. The virus stores the address from where INT 6 call that was performed, restores DOS data and code (moves it back from XMS buffer) and free XMS block.
And which address was intercepted by the virus on INT 6? It is exactly address of original INT 21h handler. On INT 21h call the control is passed from instruction to instruction, from one memory resident program to another one up to moment when control is passed to DOS area. And there is FFFFh code in erased DOS area which causes INT 06h and stops execution of sequence of instructions.
Of course, that method is too complex to be the reliable one, but it works. This is the question, how it will work in multitasking mode, under MS-Windows or new xx-DOS versions, but it works without problems under single MS-DOS 5.0 and 6.0.
The virus contains three stealth routines, the first one is called on DOS Find First and Find Next calls (the virus substitutes the length of file), the second routine is called on file opening (the virus disinfects the file). These routines hide the infected files on access via standard DOS calls.
But there are several antiviral scanner that scan the disks via low level functions - by INT 13h (Absolute Disk Read). The virus uses third stealth routine here. It checks the address of the sector is read via INT 13h and if number of this sector is equal to number of first sector of infected file the virus terminates that call. That stealth routine returns error code (Data CRC Error) instead of reading the beginning of the infected file.
This virus contains the text strings:
- The Pink Panther 2 (*The Last One*) - (c) MTZ '1 Jan 1994' Italy
Dedicated to Federica!
[MTZ 1994]
On December, 31th the virus displays this text.

Muhamor.4608

Description Muhamor.4608

It is a dangerous memory resident polymorphic double-encrypted parasitic virus. It hooks INT 12h, 21h and writes itself to the beginning of COM and to the middle of EXE files that are executed or opened. The virus has bugs and may corrupt EXE files while infecting them. The virus does not infect files with names: *WE?.*, *AN?.*, *38?.*.
Depending on its internal random counter the virus patches the standard Windows95 logos "Please wait while your computer shuts down" and "It's now safe to turn off your computer" - it writes to the top of these logos an image of fly-agaric mushroom ("muhomor" in Russian).

The virus contains the text strings:
.E.C.e.cXEOMxeom
weANanaNAnWE38
Muhamor virus ver 1.1
Version 1.1
C:WINDOWSLOGOS.sys
C:WINDOWSLOGOW.sys

Home