Virus Database

CCBB.2221

Description CCBB.2221

This is a benign stealth memory resident virus. It hits MBR of hard drive of execution of infected file. It hooks INT 13h, 21h and writes itself at the end of COM and SYS files that are executed. It manifests itself by a video effect: depending on the system time it "flips" the screen. The virus uses the word CCBBh as ID-word while infection.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Winevar

Description I-Worm.Winevar

This is the worm virus spreading via the Internet being attached to infected emails. The worm was found in-the-wild in Korea at the end of November 2002.
The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++. Most of text strings in worm body are encrypted.
Installing
While installing the worm copies itself to Windows system directory with the random selected name:
WIN%rnd%.PIF
where %rnd% is random number, and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
There are two values written to all those keys:
.default = %worm file name%
%worm name% = %worm file name%
where %worm name% is worm file name without extentions, %worm file name% is full file name, for example:
.default = "C:\TEMP\WIND2C2.pif"
"WINA2B3" = "C:\WINDOWS\SYSTEM\WINA2B3.pif"
It seems that ".default" duplicate is written to registry key because of a bug in worm code.
Later the worm also copies itself with EXPLORER.PIF name to the Desktop.
Spreading
To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses from there except emails that have "@microsoft." part in email address. To send infected messages the worm uses direct connection to default SMTP server.
While sending itself the worm appends to its copy following information:
- country region ID (for example: [KOR], [RUS] - for Korea and Russia)
- current date and time
- user name and company name (as it is stored in registration information)
By using these data that is possible to trace particular worm copy "migration" process.
The infected messages have different data in email fields. Below the %RegisteredOwner% and %RegisteredOrganization%

Subject is randomly (depending on worm "generation") selected from variants:
Re: AVAR(Association of Anti-Virus Asia Reseachers)
N'4 %RegisteredOrganization%
N'4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no "RegistreredOrganization" key in system registry. The "N`4" combination is not decrypted "Re:" string, it seems that the worm author just forgot to decrypt that string in corresponding routine.
The message body is also selected depending on worm generation:
%RegisteredOwner% - %RegisteredOrganization%
or:
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.
Attached file names can be different, for example:
MUSIC_1.HTM, MUSIC_2.CEO
WIN40B1.TXT, WIN40B1.GIF
Where "WIN" names have random number at the end (in this case - "40B1"). At the same time depending on email client the appearence of these attached files in the infected message may be different.
To run from infected message the worm uses two security breaches:
Microsoft VM ActiveX Component
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Payload
The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as well as to kill their files. In some cases (in all cases?) if an anti-virus is found, the worm erases all files on all drives, probably because of a mistake in its code.
The worm drops to Windows system directory "WIN%Rnd%.TMP" file, writes "Win32.Funlove" virus to there and executes this file. Thus the worm infects the machine with "Win32.Funlove" virus.
The worm displays the message:
Make a fool of oneself
What a foolish thing you have done!
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm tries to run DoS attack on that server).
The worm also has following encrypted text strings:
~~ Drone Of StarCraft~~
http://www.sex.com/

I-Worm.Xanax

Description I-Worm.Xanax

This is an Internet worm that was found in the wild in the middle of March 2001. The worm spreads via e-mail by sending infected messages from affected computers through IRC channels by sending its copy there. The worm also infects EXE files in the Windows directory.
The worm itself is a Win32 application (PE EXE file) written in Microsoft Visual C++ language. The worm size is about 60K in length, but it was found in compressed form: the worm code was compressed by ASPack utility, possessing about 34K in length.
When the worm starts, it copies itself to the Windows system directory with two names: XANAX.EXE and XANSTART.EXE. The XANSTART.EXE file is then registered in Registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Default = %winsystem%xanstart.exe
where %winsystem% is the name of the Windows system directory. As a result, the worm is run each time Windows starts up.
Infected E-mail
The worm then launches its e-mail spreading routine. To do this, the worm creates a temporary XANAX.VBS file (Visual Basic script), writes a VBS program there and starts it with the help of WSCRIPT.EXE. The VBS program gains access to the Outlook address book, and sends messages to the first 1,000 addresses from each of the address lists
Subject: Stressed? Try Xanax!
Body:

Hi there! Are you so stressed that it makes you ill? You're not alone!
Many people suffer from stress, these days. Maybe you find Prozac too
strong? Then you NEED to try Xanax, it's milder. Still not convinced?
Check out the medical details in the attached file. Xanax might change
your life!

Attachments: xanax.exe
Infecting EXE files
The worm then looks for EXE files in the Windows directory, and infects them. While infecting, the worm moves a victim file body down and writes itself to the file beginning. The worm does not infect files with names beginning with E, P, R, S, T, W.
IRC channels
Next, the worm infects the mIRC client if it is installed. The worm looks for the mIRC client in the following directories:
mirc
Program Filesmirc
on the C:, D:, E: and F: drives. If the mIRC client exists, the worm overwrites the SCRIPT.INI mIRC script file with a program that sends the worm's copy to everybody who joining the infected channel.
Other Comments
When the worm is run from a file with name with the letter 'R' as the next to last one in a file name (xxxRx.EXE), it displays the following message:

The exact name as this contains the worm's file XANSTART.EXE that is registered in the system Registry auto-run key. So, the worm displays this message upon each Windows start-up.
The worm also creates more files in the system:
Windows system directory: HOSTFILE.EXE

Windows directory: WINSTART.BAT, XANAX.SYS
The HOSTFILE.EXE remains after running an infected host file, and this file contains a pure (not infected) body of last infected file run.
The XANAX.SYS file contains the text:
Win32.HLLP.Xanax (c) 2001 Gigabyte
The WINSTART.BAT file contains commands that display the message:
Do not take this medication with ethanol, Buspar (buspirone), TCA antidepressants, narcotics, or other CNS depressants. This combination can increase CNS depression. Be sure not to take other sedative, benzodiazepines, or sleeping pills with this drug. The combinations could be fatal. Do not smoke or drink alcohol when taking Xanax. Alcohol can lower blood pressure and decrease your breathing rate to the point of unconsciousness. Tobacco and marijuana smoking can add to the sedative effects of Xanax.

Home