Virus Database

Worm.Win32.Padobot

Description Worm.Win32.Padobot

Worm.Win32.Padobot.a (also known as Korgo) spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011
The worm is written in C++ and is approximately 10KB in size, packed using UPX.
Propagation
When launching, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
WinUpdate = %system% ame of file
It also creates a registry key
HKLMSOFTWAREMicrosoftWireless
Server = 1
It creates the mutexes "10", "u2" and "uterm5" to flag its presence in the system.
The worm chooses the IP-addresses of random machines to infect and attack, similar to other worms which exploit the same LSASS vulnerability.
Other
Once infected, a victim machine will display an error message that the LSASS service has failed. After this error message has been displayed, the computer may reboot.
The worm open TCP ports 113, 3067 and 2041 to receive commands.
It attempts to connect to several IRC channels:
moscow-advokat.ru
graz.at.eu.undernet.org
flanders.be.eu.undernet.org
caen.fr.eu.undernet.org
brussels.be.eu.undernet.org
los-angeles.ca.us.undernet.org
washington.dc.us.undernet.org
london.uk.eu.undernet.org
lia.zanet.net
gaspode.zanet.org.za
irc.kar.net
to receive commands and transmit data.

Check other viruses! Be aware! Use Antiviral Software

Baphometh.1536

Description Baphometh.1536

It is a dangerous memory resident multipartite virus. It infects the MBR of the hard drive, boot sector of floppy disks and writes itself to the end of COM and EXE files that are executed.
While infecting the MBR the virus overwrites the Disk Partition Table, as a result the MBR cannot be disinfected by the "FDISK /MBR" command. The virus also deletes the C:WINDOWSSYSTEMIOSUBSYSHSFLOP.PDR file. It contains the encrypted text string:
Baphometh v2 ~CAD

When an infected file is executed the virus infects the MBR, hooks INT 21h, stays memory resident and then affects executable DOS files. On loading from infected disk the virus hooks INT 8 (timer), INT 13h, waits for DOS loading process and then hooks INT 21h. By hooking INT 13h the virus runs its floppy disk infection and stealth routines - on accessing to infected MBR or boot sector the virus replaces it with its original code and data.

Baran.3294

Description Baran.3294

These are memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of COM and EXE files. "Baran.3294" infects the files that are executed or closed. "Baran.4968" infects the files that are closed (both FCB and Handle calls), executed,
To hook the interrupt vectors these viruses use several tricks. The INT 21h handler in "Baran.3294" virus contains just only instruction - call to INT 1 (CDh 01h). That virus also hooks INT 1, and when INT 21h call is performed, the control is passed to INT 1 handler that contains file infection routines.
"Baran.4968" traces INT 13h, 21h. To hook INT 21h the virus patches INT 21h handler in the DOS area (the original INT 21h handler) with INT 29h call (CDh 29h), then patches INT 29h handler with FAR JMP_Virus instruction. As a result the virus handler takes both INT 21h and INT 29h calls. To separate them the virus checks the address of caller and either executes the original INT 29h, or passes the control to the virus INT 21h handler. If the virus cannot to hook INT 21h, it infects the command interpreter by using COMSPEC= pointer. If MS Windows is active, the virus also infects the program that will be executed when Windows exits to DOS.
"Baran.4968" is the stealth virus. When an infected file is opened (both FCB and Handle calls), loaded as overlay or debugged, the virus disinfect it. This virus also checks the file name and does not infect the files IBMBIO.* and IBMDOS.*.
"Baran.3294" is not a dangerous virus. Depending on the system time it displays the message:
Gwadera to baran !

"Baran.4968" is a very dangerous virus. Depending on its internal counter it corrupts the data that are saved on disk. It contains the text:
Unknown destroyer v1

Home