Virus Database

DarkElf family

Description DarkElf family

These are harmless memory resident encrypted parasitic viruses, "DarkElf.3691" is a polymorphic virus. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses do not infect the files: AIDS*.EXE, DRWEB*.EXE, WEB*.EXE, SCAN*.EXE, -*.*, AVP*.*, AVSP*.EXE, TB*.EXE, COMMAND.COM, IBM*.*, WIN*.COM
The viruses use several levels of encryption as well as several anti-debugging tricks. They contain the text strings in Russian and:
"DarkElf.2200":
[Dark Elf] version 2.1 CopyLeft (cl) MSTUdent
18/08/96 03:50:30
AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP????????
AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM

"DarkElf.3691":
[Dark Elf] version 3.0 CopyLeft (cl) MSTUdent
13/11/96 18:04:13
AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP????????
AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM
[DEME] Dark Elf Mutation Engine v1.0 CopyLeft (cl) MSTUdent
13/11/96 18:04:13

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Atirus

Description I-Worm.Atirus

This is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim's Outlook Address book.
When launched on a 'clean' PC, the worm copies itself to %SYSTEM%Setup30.exe. The worm also writes an auto-start key, so it will launch each time Windows starts:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Setup=%SYSTEM%Setup30.exe

Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time:
Monday: finds and removes I-Worm.Badtrans
Tuesday: restores default values in Win.ini:
[windows]
Run=
Load=

and sets the following registry key value:
HKCRexefileshellopencommand
Default value="%1" %*
Wednesday: finds and removes I-Worm.PrettyPark
Thursday: deletes the following files if they exist:
c:mircmirc.ini
c:mircscript.ini
c:mirc32mirc.ini
c:mirc32script.ini
c:ircmirc.ini
c:ircscript.ini
c:chatmirc.ini
c:chatscript.ini
c:progra~1mircmirc.ini
c:progra~1mircscript.ini
c:progra~1mirc32mirc.ini
c:progra~1mirc32script.ini
c:progra~1ircmirc.ini
c:progra~1ircscript.ini
Friday: finds and removes I-Worm.Sircam.c
Saturday: restores default values in System.ini:
[boot]
Shell=explorer.exe

Sunday: finds and deletes all files with a ".vbs" extension in %WINDOWS% and %SYSTEM% folders.
On September 16, displays the following message:
Antivirus

System protected by I-Worm.Antivirus
Copyright (c) 2001 by aLL3gRo

After executing the payload, the worm checks whether the following registry value is present:
HKLMSoftwareMicrosoftWindowsCurrentVersion Install=1
If the value doesn't exist, the worm tries to send itself to the senders of messages that exist in MAPI default client's folders.
The subject of the message sent is "New antivirus tool", and the message also contains the attachment "Antivirus.exe" that is the virus itself, and also contains in the body:
Hey, checkout this new antivirus tool which checks your system for viruses

I-Worm.Avron.a

Description I-Worm.Avron.a

This is a worm virus spreading via the Internet being attached to infected emails and through local network by copying itself to shared network drives. The worm has password stealing routines.
The worm itself is a Windows PE EXE file written in Microsoft Visual C++. The size of the worm is various and depends on its version:
I-Worm.Avron.a:
26Kb (compressed by UPX, decompressed size - about 57Kb),
I-Worm.Avron.b:
34Kb (compressed by UPX)
I-Worm.Avron.b:
33Kb (compressed by UPX)
The worm has bugs in its code and fails to spread under some system conditions.
Installing
While installing the worm copies itself to Windows system directory with the random name, for example:
2dadd52doc.ex
ef23h672.exe


and registers that file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
I-Worm.Avron.a:
Mortimer = %worm file name%
I-Worm.Avron.b, I-Worm.Avron.c:
Avril Lavigne - Muse = %worm file name%

Spreading: E-Mail
The worm looks for victim emails in WAB database, as well as looks for files with following extensions and gets email-like strings from there:
.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML

To send infected emails the worm connects to default SMTP server.
The infected messages have:
"From" field has real sender's address, it is one of real email addresses found on the computer (see above), or randomly selected from the list:
IIS Exchange Board
IREX/ORG
RART Team
Stimon online
Rudolf Ginsberg
Avril Lavigne
ACTR/Accels

"Subject" is randomly selected from the variants:
I-Worm.Avron.a:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions

I-Worm.Avron.b:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purges Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - dont miss it!
Fwd: RFC-0245 Specification requestedall
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?

I-Worm.Avron.c:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

The message "Body" is HTML format and is randomly selected from variants:
I-Worm.Avron.a:
Body1:
EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing

Body2:
Restricted area response team (RART)

Attachment you sent to %random worm% is really good :-)
Well done!

SMTP session error #450: service not ready

Body3:
>See this in attached files
>>New PICS of Avril Lavigne!!!
>>It is honourable when you do it!!!

I-Worm.Avron.b:
Body1:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so Patch is also provided to subscribed list of Microsoft Tech
Support:
Patch :
Date :

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Body4:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

I-Worm.Avron.c:
Body1:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so
Patch is also provided to subscribed list of Microsoft® Tech Support:

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Attached file name is randomly selected from the list:
I-Worm.Avron.a:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe

I-Worm.Avron.b:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe

I-Worm.Avron.c:
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe

While spreading the worm creates temporary "NewBoot.sys" file in Temp directory.
The worm also creates "listrecp.dll" in Windows directory and writes the list of victim emails to there.
The worm randomly uses "IFrame" security breach to run automatically from infected messages. In rest of cases the infected messages are "pure" HTML messages without "IFrame" tag.
Spreading: Network
The worm copies itself with random names to RECYCLED directory on all available logical drives (including shared network drives). If there is no RECYCLED directory, the worm copies itself to the root drives.
To run on an affected machine the worm adds a command to "autoexec.bat" file on the same drive.
Spreading: ICQ and IRC
The "b" and "c" variants of the worm searches for the "ICQMapi.dll" library and tries to send their copies to the recipients of the ICQ Contact List. They also create the "script.ini" file in the mIRC directory, so that their copies are sent to the IRC channels the user connects to.
Spreading: Kazaa
The "b" and "c" variants of the worm copy themselves to the Kazaa shared directory with a random name.
Password Stealing Routine
This routine enumerates cached passwords and sends them to the "otto_psws@pochta.ws" email address with the "Password Got" subject.
Payload
On 7th and 24th of any month the worm starts a routine that randomly moves the mouse cursor on the screen, and then opens the Web page:
http://www.avril-lavigne.com
The "b" and "c" modifications of the worm execute the same payload on the 11th day of any month, too.
Other
The worm also starts a routine that permanently looks for anti-virus and firewalls active processes, and tries to terminate them.
The worm creates a text file with random name and .TXT extension in Temp directory and writes following text to there:
I-Worm.Avron.a:
Author ------> 2002 (c) Otto von Gutenberg
Made in -----> Almaty .::]Kazakhstan[::. (:;)--:>
Purpose -----> Only Educational
Virus name --> AVRIL (please do not change it)

[ATTENTION]
The author has no response of the damages
caused by AVRIL.

[DESCRIPTION]
For my lovely Avril Lavigne dedicated.
She lives in Canada and she's beautiful.
This is for AV companies:
Why? Why? Why don't you update your KB (knowledge bases)
on my serial and yet serious masterpieces?!
I guess that of AVRIL will get you thought of it.
NO DESTRUCTIVE ACTION!

[ACKNOWLEDGEMENT]
Antoher V0X & Hacker Group from Central Asia
Thanx to Rage, Razum and V-HiV; coderz.net, indovirus.net, securitylab.ru etc.

Thank you for ideas approach to us!!!
Bye

I-Worm.Avron.b:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included

P.S.> How is my work?

Cheerz, Otto (www.otto-koden.h1.ru)

I-Worm.Avron.c:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru) and Weisses Fleisch Project (http://wf.h1.ru)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

Home