Virus Database

Worm.Win32.Fasong.a

Description Worm.Win32.Fasong.a
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
%rndname%.EXE = %rndname%.EXE

for example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
GMLKU.EXE = C:UTILGMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCRchm.fileshellopencommand (default value = "hh.exe" %1)
HKCRexefileshellopencommand (default value = "%1 %*")
HKCRinifileshellopencommand (default value = "notepad.exe %1")
HKCR egfileshellopencommand (default value = "regedit.exe %1")
HKCRscrfileshellopencommand (default value = "%1 /S")
HKCR xtfileshellopencommand (default value = "notepad.exe %1")

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLMSoftwareMicrosoftWindowsCurrentVersionwin70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share

Check other viruses! Be aware! Use Antiviral Software

Am_II.1281

Description Am_II.1281

It's not dangerous memory resident parasitic virus. It hooks INT 01h, 21h, 28h and writes itself at the end of COM- and EXE-files are accessed. It contains the internal text word "Am", in depending of system time and its internal counter this virus manifests itself by the signal of Russian radio station "Mayak".

Aman.10716

Description Aman.10716

It's a not dangerous memory resident parasitic virus. It hooks INT 5, 21h and writes itself at the end of EXE-files that are terminated. On pressing of PrintScreen key (INT 5) and depending on the system time it manifests itself with porno video effect. It contains the internal text string in Russian and:
V1.2

Home