Virus Database

Agena.723

Description Agena.723

It's a dangerous memory resident parasitic virus. It hooks INT 20h, 21h and writes itself to the end of COM- and EXE-files that are executed. Depending on the system date it erases disk sectors.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.DragonBall

Description I-Worm.DragonBall

This Internet worm spreads via e-mail messages using MS Outlook and IRC, and is written in VBS. The worm doesn't work correctly, because it contains a few fatal errors.
When the script is run, it creates self-copies in the system directories:
C:WindowsWinsock.vbs
C:WindowsSysdir.vbs
C:WindowsSystemmillioner.vbs
C:WindowsSystemDragonBall.vbs
C:WindowsSystemDragonBall.cab
Also it creates three scripts in IRC directory:
C:mIRCmirc.ini
C:mIRCscript.ini
C:mIRCupdate.ini
The IRC scripts are needed for spreading via the IRC channel. As directories named "C:Windows" and "C:mIRC" hard register in worm's body, it can't execute these operations if the operation system and IRC installed in different directories.
After this, the worm changes some keys in the system registry and WIN.INI file. This creates two keys in the registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"winsock2.0"="C:\Windows\winsock.vbs"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
"sysup"="C:\Windows\sysdir.vbs"
and changes the value of the two keys in the WIN.INI file:
[windows]
load=C:WindowsSystemDragonBall.vbs
run=C:WindowsSystemmillioner.vbs
In this way, the worm always will be run when the operation system is started. In addition to this, the worm changes another two keys in the system registry
[HKLMSoftwareMicrosoftWindowsCurrentVersion]
"RegisteredOwner"="Dragon Ball Z by YuP"

[HKCUSoftwareMicrosoftInternet ExplorerMain]
"Start Page"="http://bdball.metropoli2000.net/fotos/imagenes/sagas/foto7_40.jpg"
Then the worm activates a spread procedure, opening the MS Outlook address book, and for each address, creating the following message:
Subject: Hello ;]
Body: Hi , check out this game that j sent you (funny game from the net:]).
Attach: dragonball.vbs
The worm contains errors, and this procedure can't work correctly. So, the worm can't spreads via e-mail.
In conclusion, the worm displays the following dialogue box:

When a user closes this box, the worm removes keyboard and mouse functions, and the runs MediaPlayer with a file from the Internet:
http://bdball.metropoli2000.net/mmedia/videos/clips/dballz/gokuhss1.mpg
and changes AUTOEXEC.BAT, inserting the strings:
@ECHO ON
ECHO DraGon Ball [Z] by YuP
ECHO Thank you and bye bye dragon world!!

I-Worm.Duksten.a

Description I-Worm.Duksten.a

Duksten.a is a worm virus spreading via the Internet in ZIP files attached to infected emails. The worm itself is a Windows PE EXE file about 10KB in length encrypted. In infected messages the attachment is a ZIP archive named SKUDO.ZIP that has the worm copy w_skudo.exe stored in it.
The infected messages have an empty body and fthe following fields:
From: "ISP_Tecnico"< skudo@iris.es >
Subject: NetsKudo,proteccion IP para Windows9x/Me/Nt/2000/XP
Attach: SKUDO.ZIP

The worm activates from infected emails only if a user clicks on the attached file and extracts the EXE file from the ZIP archive, and runs it. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows system directory with the name NetSkudo.exe and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
XRF = %SystemDir%NetSkudo.exe

Spreading
To get victim email addresses the worm opens the WAB (Windows Address Book) database and reads emails from there. To send infected messages the worm uses a direct connection to the default SMTP server.
There are several bugs in its email spreading routines so the worm will have problems spreading to "true" SMTP servers that follow email and transfer standards (RFC standards).
While sending infected emails the worm also creates the following files in Windows system directory:
mWAB.XRF - this file contains victim email(s)
mBase64.xrf - worm's ZIP file in MIME form
program.zip - worm's ZIP file

While storing itself in the ZIP archive the worm uses a "stored" compression method (i.e. "do not compress" method).
Other
The worm also tries to infect other PE EXE files found on the hard drive of infected machines but fails because of a bug.

Home