Virus Database

Worm.Win32.Grexon

Description Worm.Win32.Grexon

Grexon is local area network (LAN) worm. In copies itself to logical drives (local and network), as well as encodes network resources where it copies itself. The worm file size is about 7KB.
When the worm is run it copies itself to the Windows temporary directory under the name "grex.exe" and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Grex = %TempDir%grex.exe

While infecting drives (logical and network) the worm copies itself to them under the following names:
NOPE.EXE : to Windows Startup directory (if exists)
REGEDIT.EXE : to Windows directory (if exists)

While infecting network drives the worm affects their following resources:
C$
D$
IPC$

In case the victim resource is not open for full access the worm tries to connect to it with a password:
user name
the strings "123", "111", "12345", "00"
cached Windows passwords
strgins found in registry keys:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionNetworkLanMan

Payload
When this worm is run from the REGEDIT.EXE file it displays the message:
LOADER ERROR
File corrupted !

Depending on a random counter the worm either:
exits Windows
displays the message:
ERROR
Kernel data corrupted !

Check other viruses! Be aware! Use Antiviral Software

Idiot.2032

Description Idiot.2032

These are dangerous memory resident parasitic viruses. "Idiot.2592" is encrypted. They contains the string:
=/= IDIOT VULTURE =//=

When an infected file is executed and the viruses take control, they hook INT 21h and stay memory resident. Before returning to the host program they infect the files: C:DOSFDISK.EXE, C:DOSUNDELETE.EXE, C:DOSMEM.EXE, C:DOSEXPAND.EXE.
The viruses then infect files that are executed, opened or accessed with Get/Set File Attribute DOS call. While infecting a file the viruses insert themselves into the middle of the file by using quite complex way. First, the viruses check the number of relocated addresses in EXE module. If there are less than four such addresses, the viruses return from infection routine. Otherwise they select several these addresses that are placed in JMP FAR and CALL FAR assembler instructions and patch the file so, that after loading to the memory these FAR calls and jumps will point to the virus code. To return back to original subroutines and locations the viruses store their addresses.
The viruses then fix relocation offsets and several other in EXE header, move the EXE module down by "virus length" bytes, and insert their code between EXE header and original EXE module.
Before infection Infected file
+----------+ +----------+
|EXE header| |EXE header|
+----------+ +----------+<<--+-+
|all | |Virus | | |
|FAR CALL | internal +----------+ | |
|... | prog's |... | | |
|FAR JMP | calls and |FAR CALL | --+ | patched calls and jumps
|... | jmps |... | |
| | |FAR JMP | ----+
+----------+ |... |
| |
+----------+

As a result, the virus code is placed in the middle of file, and entry address (initial CS:IP in EXE header) points to original code - the virus has no entry point, and its code is "linked" with code of file. The virus takes control only if some patched command is executed, i.e. "infected" program's branch takes control. As a result, there are possible infections when the virus does not receive control, if infected program is executed in default mode (default-run branches are not patched) - it will activate only if the program is run with command switches that cause jump to patched instructions.
This complex way of infection is not bug-free, and the virus often corrupts the files while infecting them.

Ienez.1428

Description Ienez.1428

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 17h, 21h and writes itself to the end of EXE files that are accessed. Depending on the system timer it overwrites the MBR of hard drive with the string:
IENEZ II 29-9-93 VETO !!!

and erases the disk sectors. Depending on its internal counter it changes the digits while printing. This virus also contains the text string:
IENEZ II (c) DEATHMAN 1993

Home