Virus Database

AFV.517

Description AFV.517

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of .COM files (except COMMAND.COM) that are accessed. The virus does not manifest itself in any way. The header of infected files contains the text:
AFV

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Ivalid

Description I-Worm.Ivalid

This is a dangerous worm spreading through Internet attached to email messages. The worm itself is Windows application about 12K of size. To spread the worm uses SMTP and connects to "mail.bezeqint.net" email server to send infected messages.
The worm gets victim email addresses from HTML files. It searches for *.HT* files on the hard drive and looks for email addresses in there.
The infected messages have following data:
From: "Microsoft Support" [support@microsoft.com]
Subject: Invalid SSL Certificate
Attach: SSLPATCH.EXE
Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation
In case of error, or when infected messages are sent the worm encrypts all EXE files in current and all parent directories. While encrypting the worm uses standard Windows crypto API.
The worm also contains following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

I-Worm.Jer

Description I-Worm.Jer

This is an Internet worm that spreads through IRC channels and also intends to spread via e-mail, but fails because of bugs in its code.
Installation
The worm has been placed by its author on a page on the www.geocities.com. The page has the title:
"<< THE 40 WAYS WOMEN FAIL IN BED".
On 2 July 2000, the info about this page was announced to IRC channels and there were more than 1000 hits on that page for the first day. Fortunately, the worm had a bug in its e-mail infection routine, and it didn't spread too far.
The "Jer" worm uses a primitive, but very effective way of penetrating computers. A Web site contains a script-program (the worm itself), which is automatically executed after a user opens an infected HTML page. Then a user receives a warning from the system whether to accept this unknown script or not. This method exploits so-called "mind breaches": to avoid this annoying message, a user will answer "yes". Right after this moment, the worm will be passed on to the computer.

The infected HTML page contains the VBS script in its body. Upon opening that page, the script automatically is executed and the worm gains control. It creates a copy of the infected HTML page in the Windows system directory with the JER.HTM name and registers it in the system registry in the autostart section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunGinSenG = "JER.HTM"
As a result, the worm will be automatically executed on each Windows startup.
Spreading
The worm then goes to the C:MIRC directory and (if such a directory exists) creates a "SCRIPT.INI" file that contains the commands for the mIRC client. The worm writes to this file a set of commands to send an infected JER.HTM file to every computer that connects to the same channel as the infected computer. Additionally, this script provides access to the local disk of the infected computer to the IRC user who has typed a specified script keyword.
Payload
The worm makes some more changes in the system registry:
Disables desktop
Disables "Find" dialog box
Disables network properties dialog box
Removes "Shut Down" from "Start" menu
The worm also changes the Windows registration information:
Owner: I Love You, Min
Organization: GinsengBoy- 2000
Removal
To restore system settings, the original registry values have to be restored.
NOTE: It is recommended that only experienced users fix the Registry keys by using the Registry Editor. Incorrect access can cause serious problems that may require you to reinstall Windows. For information about how to edit the registry, view the Changing Keys And Values online Help topic in the Registry Editor (REGEDIT.EXE).
The following keys have to be removed from the registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunGinSenG
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoNetSetup
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoClose
The following keys have to be changed to proper values:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionVersion - Windows version (for example "Windows 98").
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOwner - User name (Windows registered to)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOrganization - Organization name (Windows registered to)

Home