Virus Database

Constructor.DOS.PS-MPC

Description Constructor.DOS.PS-MPC

PS-MPC (The Phalcon/Skism Mass-Produced Code Generator) is the second most known virus constructor, after VCL. The features of that constructor are described in the documentation that is distributed in the main PS-MPC package:
The Phalcon/Skism Mass-Produced Code Generator is a tool, which generates
viral code according to user-designated specifications. The output is in
Masm/Tasm-compatible Intel 8086 assembly, and it is up to the user to
assemble the output into working executable form. The features of the
PS-MPC include the following:
- Over 150 encryption techniques, randomly generated during each
run of the PS-MPC
- Compact, commented code, much tighter than VCL
- COM/EXE infections
- Both resident and nonresident viruses
- Two types of traversals for nonresident viruses
- Three types of high memory residency routines for TSR viruses
- Optional infection of Command.Com
- Critical error handler support

The PS-MPC constructor was released in 1992 and distributed in source code as well as in executable files. That is one of the most popular constructors, and several other constructors G2, IVP were created by using the PS-MPC sources.
That constructor creates source ASM files of the virus. The user can select the virus features: encrypted or not, memory resident or not, COM/EXE/COM and EXE infection, effects etc.
It seems that the viruses from "Arcv" family are based on PS-MPC constructor.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mydoom.b

Description I-Worm.Mydoom.b
Mydoom.b is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network. The worm itself is a Windows PE EXE file of 29184 bytes, compressed using UPX and PE-Patch. The decompressed file is approximately 49KB in size.
The worm is activated only if the user opens the archive and launches the infected file by double-clicking on the attachment. The worm then installs itself in the system and starts the replication process.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.
Part of the body of the worm is encrypted.
The unpacked file contains the following text:
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
Installation
Following launch, the worm opens Windows Notepad, showing a random selection of symbols:
During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"TaskMon" = "%System%explorer.exe"
The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
"Apartment" = "%SysDir%ctfmon.dll"
Ctfmon.dll will therefore launch as a procedure linked to Explorer.exe.
The worm also creates a file called Body in the temporary directory (usually in %windir% emp). This file contains a random selection of symbols.
So that the worm can identify itself in the system, it creates several additional keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32Version]
While running it also creates a unique identifier sync-v1.01__ipcmtx0.
Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name). This file will now prevent user access to the following domains:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com


Mailing letters
Emails are sent in the same way that Mydoom.a uses except for the following changes.
The body text is chosen at random from the following:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error #804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.
Mydoom.b might also send emails with random strings of characters in the subject, body and attachment name.
Propagation via P2P
The worm checks for the presence of a Kazaa client on the computer and copies itself to the file-sharing directory under the following names:
NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final
with the following extensions:
bat
exe
scr
pif

I-Worm.Mydoom.e

Description I-Worm.Mydoom.e

This worm has also been called Mydoom.F, and is a modification of Mydoom.a.
It spreads via the Internet as a file attached to infected messages. The worm is a PE EXE file of 33KB or slightly larger, packed using UPX. The unpacked file is approximately 55KB in size. The worm is also able to send itself as a ZIP archive.
The worm is only activated if the user opens the archive and launches the infected file, by clicking twice on the attachment. The worm then installs itself on the systems and starts propagation.
The worm includes a backdoor function, and is programmed to carry out DoS attacks on www.microsoft.com and www.riaa.com
Everything points to this worm not being an original creation, but a separate version which has been created around the orignal source code of Mydoom.a. Part of the original code is present in this version, even though it serves no useful function.
Installation
Once launched, the worm may display a fake error message on the screen: 'File is corrupted,' 'File cannot be opened,' or 'Unable to open specified file'.
The worm may also create a file in the temporary system directory. This file contains a random selection of characters, and the worm may open it using Notepad.
It also creates a mutex 'jmydoat name of infected computer Xmtx' to flag its presence in the system.
When installing, the worm copies itself under a random name to the Windows system directory and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
random characters = "%System% ame of worm file
The worm then searchs all accessible disks from C: to Z: and copies itself under random names to all disks which it finds which include the words
shar
startup
start
in the name.
The worm creates a file with a random name and .dll extension in the Windows system directory. This file is 9724 bytes in size, and is the backdoor component, which is intended to open a backdoor on port 1080 and act as a proxy server.
The worm creates several copies of itself as ZIP archives in the Windows root directory. These files are then used to send mass emails. In order to flag its presence in the system, the worm also creates several additional keys in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionShell HKCUSoftwareMicrosoftWindowsCurrentVersionShell
Sending of email
In order to send copies of itself, the worm searches all accessible disks from C: to Z: for files with the following extensions:
wab
mbx
nch
mmf
ods
rtf
uin
oft
mht
vbs
msg
pl
eml
adb
tbb
dbx
asp
php
sht
htm
txt
It then sends itself to all email addresses found in these files.
Infected emails have the following characteristics:
Sender's address: any address found on the infected machine, or chosen from the following list
jerry
bill
smith
jim
sam
james
alex
A random selection of characters may also be used. In this case, after the @ symbol in the sender's address, one of the following domains will be used:
aol.com
msn.com
yahoo.com
hotmail.com
edu
Message header: (chosen at random)
hello
hi
Announcement
read now!
forget
bug
unknown
fake
Wanted
recent news
news
stolen
Attention
Accident
Schedule
Re: Thank you
Thank you
Re: Details
Details
Re: Approved
Approved
hi, it's me
Important
Readme
Read this message
please read
please reply
Thank You very very much
You use illegal File Sharingall
Your IP was logged
Your account is about to be expired
Love is
Love is...
Undeliverable message
Re:
Your order was registered
Your request was registered
Your order is being processed
Your request is being processed
Current Status
Your credit card
Read it immediately!
Read this
Read it immediately
Something for you
For you
For your information
Information
Warning
You have 1 day left
automatic notification
automatic responder
Notification
Expired account
Your account has expired
Registration confirmation
Confirmation
Confirmation Required
Returned Mail
Message body: (chosen at random)
Greetings
See you
Here it is
You are bad
Take it
Reply
Please, reply
Okay
OK
Everything ok?
Check the attached document.
The document was sent in compressed format.
Please see the attached file for details
See the attached file for details
Details are in the attached document. You need Microsoft Office to open it. Information about you
We have received this document from your e-mail.
Kill the writer of this document!
Something about you
I have your password :)
You are a bad writer
Is that yours?
Is that from you?
I wait for your reply.
Here is the document.
Read the details.
I'm waiting
Attachment name: (chosen at random)
body
message
test
data
file
text
readme
document
doc
msg
photo
resume
image
object
website
friend
jokes
joke
approved
paypal
disc
misc
part3
part2
part4
part1
mail2
list
mail
story
about
money
check
product
notes
your_document
note
information
textfile
posting
post
stuff
attachment
creditcard
or a selection of random characters.
The attached file has one of the following extensions:
exe
scr
com
pif
bat
cmd
zip
and a second extension from the following list:
doc
htm
rtf
xls
jpg
gif
png
txt
exe
pif
scr
DoS attacks
If the system date is showing between the 17th and the 22nd of the month, there is a 60% that the worm will carry out a DoS attack on www.microsoft.com and a 30% chance that it will carry out a DoS attack on www.riaa.com. Mydoom.e will perform DoS attacks in exactly the same way as the other versions of Mydoom did, by sending multiple GET requests to port 80 of the site under attack.
Deletion of files
The worm searches all accessible disks from C: to Z: for files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp and uses a random number generator to determine which files with these extensions should be deleted.
Other
The worm searches memory for processes containing the following text:
reged
taskmo
taskmg avp.
avp32
norton
navapw
navw3
intrena
mcafe
and attempts to stop them.

Home