Virus Database

DBF Family

Description DBF Family

These are dangerous(?) not memory resident parasitic encrypted viruses. They search for COM- and EXE-files and write themselves to their ends. They contain the internal text string: "*.DBF *.EXE *.COM" and corrupt(?) DBF-files.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Bagle.a

Description I-Worm.Bagle.a
This worm spreads via the Internet in an attachment to infected emails.
The worm itself is a Window PE EXE file of approximately 15KB.
Messages sent by the worm have the following characteristics:
From:
random sender
Subject:
Hi
Body:
Test =)
Signature:
Test, yep
Attach:
random name
Installation
The worm is activated only if a user clicks on the attached file. When installing, the worm copies itself to the system directory under the name 'bbeagle.exe' and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"d3dupdate.exe" = "%system%beagle.exe"
The worm will also run the Windows application calc.exe.
The worm attempts to connect to several remote sites relating to TrojanProxy.Win32.Mitglieder.
Replication
The worm looks for files with the extensions wab, txt, htm, html, r1 and scans them for email-like text strings, then sends infected messages to the email addresses found.
The worm uses an SMTP engine to send infected messages.
Backdoor function
The worm opens port 6777 to listen for commands. The backdoor function allows the attacker to download files and execute commands on the infected computer.
Other
If the system date is later than 28th January 2004, the worm will not have any effect.

I-Worm.Bagle.aa

Description I-Worm.Bagle.aa

This worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.
It is packed using UPX and PEX. The unpacked file is approximately 66KB in size.
The file contains a ZIP archive which contains the complete source code of the worm.
Installation
Once launched, the worm copies itself to the Windows system directory as loader_name.exe, and registers this file in the system registry, to ensure the file is run every time the system is started:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"reg_key" = "%system%loader_name.exe"
The worm also creates 2 additional files in the Windows system registry:
loader_name.exeopen
loader_name.exeopenopen
Propagation
The worm searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends itself to all email addresses harvested from these files.
It uses its own SMTP server to send messages.
Infected messages:
Message header (chosen from the list below):
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message body (chosen from the list below)
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment name (chosen from the list below):
Information
text_document
Updates
Readme
Document
Info
MoreInfo
Message
Attachment extension (chosen from the list below):
exe
scr
com
zip
vbs
hta
cpl
If the attached file has the extension .hta, the size of the attached file will be approximately 208KB. If the attached file has the extension .vbs then the size of the attached file will be approximately 211KB.
The worm is capable of sending itself in a password protected zip archive. In such cases, the password will be shown in the message body, either in text format or as an image.
It does not send infected messages to addresses which contain any of the lines of text listed below:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Propagation via P2P networks
The worm searches disks for folders where the name contains the word 'shar' and copies itself several times to all such folders found. Copies are made under the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
Remote administration
The worm opens and tracks activity on port 1234.
The backdoor function makes it possible for the source code of the worm to be remotely mass mailed at any time.
Other
The worm is programmed to cease activity and delete itself after 7th July 2004.

Home