Virus Database

Adin.1488

Description Adin.1488

This is harmless memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM and EXE files (except COMMAND.COM) and AIDSTEST.EXE.
It infects the files are renamed, closed, or accessed in some other ways.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mimail.q

Description I-Worm.Mimail.q
This is an encoded email worm from the Mimail family. It spreads via the Internet in the form of files attached to infected messages. Mimail.q has 2 components: a dropper and the worm itself. The dropper file has a unique encryption key in every message.
Dropper
The dropper is a Windows PE EXE file of approximately 32KB. It contains the main component of the worm, a file named 'outlook.exe' in compressed form.
On launching, the following fake error message is displayed:

The program copies itself to the Windows directory under the name sys32.exe and registers this file as a key in the system registry to enable auto-run
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"System" = "%Windir%sys32.exe"
The program then extracts the file outlook.exe, the main component of the worm, which is copied to the Windows directory. The dropper is able to encode its body when launching, and therefore the code of all attachments sent from the computer during the current Windows session will be identical. After Windows has been restarted, the encryption key changes to a new one.
Main component
This is a Windows PE EXE file of approximately 50KB. It sends the dropper via email, contains a backdoor function, and is able to steal information.
It creates a number of keys in the Windows system registry, in order to identify its own presence in the computer:
SoftwareMicrosoftWindowsCurrentVersionExplorer
Explorer2
Explorer3
Explorer4
Explorer5
Explorer
When searching for email addresses to send infected messages to, the worm does not scan files with the following extensions: .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg and .bmp Email addresses found in other files are saved to the file outlook32.cfg and infected messages are sent to these addresses. The contents of infected messages vary, being composed using a range of parameters, e.g.

Sender's address:
[random]
Message header:
very cool picture only for you
Message body:
Good evening my dearest [random name],
I wondered
My brother had best sex I ever seen last night togather with the boss of [random name] %-)
I switched on my samsung camera and make excellent images!
Please don't show pictures to your bro, okay?
or another example:
Message header:
sexy photo
Message body:
Good evening Lora
I shocked
My brother had best sex last evening with the sister of Jim %-)))
But I turned on panasonic cam and create good pictures %-)
And do not show photos anybody else, I trust you.
Attachment name:
prv_photos.gif.pif (random)
Size of attachment:
32KB
The worm uses its own SMTP engine to send infected messages. To send messages directly to the recipient's smtp server, the worm uses DNS server 212.5.86.163, as does Mimail.p
Other
The worm has a backdoor function, which opens TCP port 667 to receive commands.
It launches the command shell cmd.exe on port 3000 in order to receive and execute commands.
It attempts to open ports 80, 1433, and 1434, and if these attempts are successful, it sends information to:
advokat_2000@mail15.com
with the messages:
mssql2 open
and
mssql open
It also attempts to connect to www.google.com and if this attempt is successful, it sends information to:
hodorkovsky@mail15.com
avp@mail15.com
Additionally, if a connection to www.google.com is established, the worm launches the function which enables it to steal information from PayPal users, in exactly the same way as I-Worm.Mimail.p does. Information gathered is sent to the following addresses:
kaspersky_av@mail15.com
kasperskyeee@mail15.com
kaspersky_av@hotbox.ru
kaspersky_eee@pochta.ru
Eugene.Kaspersky@gmx.net
boris@berezovsky.cjb.net
just-for-fun@ziplip.com
In exactly the same way as Mimail.a, Mimail.b, Mimail.c and Mimail.p, the worm is able to steal user information from users of the E-Gold payment system.
The information gathered is saved in c: mpgld.txt and sent to addresses from the list below:
E.Kaspersky@gmx.net
kaspersky_eugene@hotbox.ru
kaspersky_eugene@mail15.com
eugene@kaspersky.com
The worm also contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
visit our friendly site www.blackgate.us

I-Worm.Moncher

Description I-Worm.Moncher

This is an Internet worm that spreads via e-mails attached as a EXE or ZIP file. The worm itself is a Win32 executable file about 37Kb in length, and written in Visual Basic. The worm is also able to spread via IRC channels.
When the worm's EXE file is being run from an attachment or from an IRC download directory, it registers itself in the system to run each time Windows starts up, and it sends infected messages. To hide itself, the worm displays two fake messages:
INSTALL
Install complete.

ERROR!
Unable to run program!
While installing into the system, the worm copies itself to the Windows directory with the WINHLP.EXE name, creates the VBS script file "helper" OUTLOOKHELP.VBS in the same directory, and registers these files in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
WinProfile = %WinDir%winhlp.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
OutlookProfile = %WinDir%outlookhelp.vbs
where %WinDir% is the name of the Windows directory.
The first (EXE) file is the worm's main code, and the second (VBS) file is the e-mail spreading program.
When the VBS script is run, it connects to MS Outlook, obtains the addresses from the MS Outlook Address Book, and sends messages there. The message Subject, Body and Attachment appear as follows:
Subject: With Love
Body: Whit all my love for you. :)
Attach: Winhlp.exe èëè MonCherry.zip
The worm infects the mIRC client if it is installed in the C:MIRC directory. The worm writes a script to the SCRIPT.INI file in there that sends an infected WINHLP.EXE file to each user that enters the infected IRC channel.
On January 13th, the worm overwrites the C:AUTOEXEC.BAT file with a DOS batch program that will format the C: drive upon the next reboot.

Home