Virus Database

Advent.Syslock.3551

Description Advent.Syslock.3551

This is non-resident harmless virus that upon execution, infects COM and EXE files. It infects EXE files in a standard way, and in COM files, it replaces the first 23h bytes in the file beginning with a jump to the virus body.
The major parts of the virus are encoded. The virus don't activate if the text "SYSLOCK=@" is found in the ENVIRONMENT.
The virus replaces the string "Microsoft" with "Macrosoft" in disk sectors.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Fog

Description I-Worm.Fog

This is Win32 email worm with backdoor and DDoS abilities. The worm itself is Win32 application (PE EXE file) about 180K of size (in UPX packed form) and about 500K being unpacked. The worm is written in Delphi.
The worm sends itself to other machines being attached to emails with AntiVirus.exe name. While spreading it uses MAPI to connect to emailer. The worm also reports to an IRC channel (worm host channel?) about infected machine and then activates backdoor and DDoS routines that allow to remote master to manipulate with infected machine and perform DoS attack on remote machines.
When infected file starts (being activated by user from infected message or from any other source) the worm displays the message box:
Explorer
i reb00t
[OK]
When OK button is pressed, the worm copies itself into Windows system directory with "AntiVirus.exe" and into Windows Fonts directory with "Times New Roman.exe" names. The latter file is then registered in system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices Windows = %windows font directory%Timer New Roman.exe
To spread the worm looks in Inbox for all messages that have at least one attached file, and replies with infected message that has:
Subject: I think that you sent me a virus.. heres a cleaner
Body: I took my computer to the shop and they ran this, and told me to send it to you.. hope this helps.
Attach: AntiVirus.exe
The worm also deletes NETSTAT.EXE and REGEDIT.EXE in Windows directory. The worm as well looks for anti-virus and some other processes that are active at the moment and tries to terminate them:
APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE
IAMSERV.EXE IAMAPP.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE
VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE NAVAPW32.EXE
NAVW32.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE AVP32.EXE
AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE
ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE
TDS2-98.EXE TDS2-NT.EXE ZONEALARM.EXE MINILOG.EXE SAFEWEB.EXE
IFACE.EXE ANTS.EXE ANTI-TROJAN.EXE BLACKICE.EXE BLACKD.EXE
VSMON.EXE WRCTRL.EXE WRADMIN.EXE CLEANER3.EXE CLEANER.EXE
TCA.EXE MOOLIVE.EXE SPHINX.EXE

The worm contains the "copyright" text strings:
[Fist Of God]
[Remote DDoS]
[v2.7b]

I-Worm.Frethem

Description I-Worm.Frethem
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments to infected emails, the worms themselves are Windows PE EXE files about 31-35KB in length - depending the worm version. The are compressed by PE-Pack and UPX (double compression) and written in Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:

Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
Attached:

www.freedesktopthemes.com
Frethem.b,c,f,h
Subject: Re: Your password!
Message:
[empty]
Attachments: Your password placed in password.txtall yourpassword.exe...password.txt

Frethem.d:

Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message: Hi! There is good news for you! Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with web site and samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached: www.xpdesktopthemes.com
Frethem.e,g,j,k,l
Subject: Re: Your password!
Message:
ATTENTION!
You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm itself, the attached TXT file(if it is present) contains false text, such as:

"Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach (IFRAME vulnerability) is exploited or the attached file may not contain any "security tricks". The worm activates from infected email only when a user clicks on the attached file, or it may start automatically when an infected message is opened or previewed (in vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is Russian or Uzbek keyboard support (codepage 419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself to the Windows startup directory under the setup.exe name:
%windir%Start MenuProgramsStartupsetup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy themselves in the Windows directory under the "taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for e-mail addresses in WAB (Windows Address Book) files and in *.DBX email database files, and sends infected messages to these addresses.
Backdoor
The backdoor routines randomly select a URL and then follow it to the site. The list of possible URLs is stored (hard-coded) into the worm body. There are from 10 (in minor worm versions) to 50 (in major versions) URLs in the list.
The worm then downloads a specific file from the selected URL and processes commands written there. The main backdoor features are:

the ability to execute requested commands on infected system
download EXE file(s) from that site and run it ("upgrading" worm with new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:

STATUS.INI and WIN64.INI
Other The worm body contains the text:
thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.

Home