Virus Database

Worm.Win32.Leave

Description Worm.Win32.Leave

This is an Internet worm that spreads through vulnerable machines. The worm works under Win32 systems only. The worm functionality is based on a special script language that allows a remote host to manage infected machines. The worm also is able (due to these special script programs) to download and activate more components (plugins). As a result, the worm is able to "upgrade" itself from Internet Web sites.
When a main worm component is run, it copies itself to the Windows directory with the REGSV.EXE name and registers that file in the auto-run registry keys. These keys depend on the Windows version (Win9x or WinNT) and appear as follows:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
regsv = %windir% egsv.exe

HKCUSoftwareMirabilisICQAgentApps
icqrun = %windir% egsv.exe
The worm then stays as a hidden (service) process in Windows memory and is active until the next Windows shutdown.
Spreading
The main worm components contain a text string that is a SubSeven backdoor master password. So, the worm may attack remote machines already infected by SubSeven backdoor, and install itself to there.
To obtain victim-machine addresses, the worm uses a sniffing (scanning) routine that follows scripts (see below) and scans the Internet for IP addresses of remote machines.
Script Language
The worm script language is quite powerful. It allows the worm to do the following:
download from Web sites and spawn other EXE files (worm plugins)
scan IP addresses by requested mask
connect to IRC servers and execute IRC commands
create, move, delete, execute files on an infected machine
etc.
The scripts are downloaded by the worm from different Web sites, for example:
http://leavemealoneeeeeeeee.50megs.com
http://k000001.50megs.com
http://slinky.50megs.com
http://h0h0h0.home.dk3.com
http://h0h0h0.spites.com
http://love50gb.50megs.com
http://tonyjameshanks-sux.50megs.com
http://bababuhtml.50megs.com
http://zxcvbnm.com
and from others.
The script commands in there are encrypted by a 64-bit block cipher. When the worm obtains a script from there first, it decrypts it and then follows the script instructions.
The worm also contains in its code a default script (that is also encrypted). That script is dropped to the Windows directory with the ACI3.DLL name.
When scripts are accepted, the worm also stores them in encrypted form in Registry keys:
HKLMSOFTWAREClassesScandiski386i
HKLMSOFTWAREClassesScandiski386s
DoS Attack
The worm performs a DoS attack (Denial of Service) to the following sites:
www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com

Check other viruses! Be aware! Use Antiviral Software

Foma family

Description Foma family

These are not dangerous memory resident parasitic viruses. They hook INT 8, 21h and write themselves to the end of COM files that are executed or opened. When the AIDSTEST anti-virus is executed, the viruses display one the messages and halt the system:
Abnormal program termination
?KMON-F-System read failure halt 177640
Unrecognised error. DMA failure.

Depending on the system date and their counters the virus blink the screen or display messages in Russian. The viruses also contain the text strings:
"Foma.972": STIN V:1.02
"Foma.1000": STIN V:1.01
"Foma.1200": STIN V:1.00
( CGA/EGA/VGA Terminal Color Invertor ) 11-Nov-1991.
Kpy ¼ «p á½ ¡¿ á¼ ¿ ¡Ñ ½áí ¼ ¿ «ó¿ á¼ »« ó áÑ all.....
"Foma.1733": FOMA V:1.01
"Foma.1900": FOMA V:1.00

Foo.956

Description Foo.956

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in current and in parent directories, then in C:WINDOWS directory and infects not more than three files found. While infecting the virus writes itself to the end of the file. The virus pays attention to the internal self-checking Windows32 ability and fix the necessary date ("ENUNS" field at the end of Windows COM files) while infecting them.
The virus uses anti-debugging tricks. On 29th of any month it displays the message and halts the computer:
--FOO VIRUS--
WE'RE ALL STARS NOW, IN THE DOPESHOW
MADE IN THE UK, WE EXIST..

Home