Virus Database

Zoo.383.a

Description Zoo.383.a

It is a dangerous nonmemory resident parasitic virus. It searches for NewEXE (Windows) files in the current directory, then overwrites DOS stub code. The virus does not save original stub routine and infected files cannot be recovered. Then the virus decrypts and displays the message (standard DOS stub message):
This program requires Microsoft Windows.

The virus also contains encrypted text in Russian and the strings:
*.exe
(c) DNazi

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Hadra

Description I-Worm.Hadra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.
When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
All these "Run=" keys then have the string value that runs the worm copy upon each Windows start-up:
msservice = %WinDir%msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.
On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:
[I-Worm.Hydra] allby gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software on an infected computer (see more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE name from the following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates, in the Windows directory, the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
msseti = WScript.exe %WinDir% un_msseti.vbs"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
msseti = WScript.exe %WinDir% un_msseti.vbs"
The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic

I-Worm.Hallad

Description I-Worm.Hallad

This is a virus-worm that spreads via the Internet attached to infected e-mails. It sends itself through IRC channels. It also causes payload actions.
The worm itself is a Windows PE EXE file about 80 Kb in length, and is written in Visual Basic 6.
The infected messages appear as follows:
Subject: %Name of the sender% + " is a millionaire"
Attachment: LucKey.exe
Body: " Hi" + %Name of the grantee% + "Your Friend " + %Name of the sender%
+ " invites you to be a millionaire" + %Name of the grantee% + "and says : "
+ %Name of the grantee% + "Wow..its really cool Test your lock ;)"
+ %Name of the grantee%
+ " just keep this advertisements pro run and you will get 0.25 $ every 30 minutes"
+ %Name of the grantee% + " + " Wo-finance Team"

The worm is activates from an infected e-mail only when a user clicks on the attached file.
Installing
While installing, the worm copies itself to the Windows system directory with the name LUCKEY.EXE and to the Windows System directory with the name DALLAH.EXE. Than it displays a dialogue window Project1 with the following text:
Run time error '71'
Object required
[ OK ]

Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in Outlook address book.
Spreading via IRC channels
The worm searches in subdirectories of the current disk for the file MIRC.INI, and overwrites it with new script that sends this EXE file to each user, who joins the infected channel.
Payload actions
The worm creates many files with the following names in the current directory:
Sharoon ****.exe
Bush ****.exe
ZA-Union ****.exe
BinLadin ****.exe

Where ***** is a number from 1 to 9999.
The worm also tries to remove the following folders on the disk with Windows.
Program FilesAntiViral Toolkit Pro
Program FilesCommand SoftwareF-PROT95
eSafeProtect
PC-Cillin 95
PC-Cillin 97
Program FilesQuick Heal
Program FilesFWIN32
Program FilesFindVirus
ToolkitFindVirus
f-macro
Program FilesMcAfeeVirusScan95
Program FilesNorton AntiVirus
TBAVW95
VS95
escue
Program Filesone Labs

The worm creates and runs the script file: FLOPY.VBS. This scrip copies a worm dropper to the diskette with the name: MALAL.EXE. Also, it creates companions to all files on a floppy drive with double extensions. It adds the extension ".EXE" to the original filenames.

Home