Virus Database

Deadman.943

Description Deadman.943

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for COM and EXE files, then writes itself to the end of the file. The virus scans the all subdirectories of disk. The virus may erase random sector on drive C and displays the message:
Program too big to fit in memory

The virus also contains the text strings:
[Napoleon]
Copyright (C) 1998-99 by Deadman [SOS]

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Newbiero

Description I-Worm.Newbiero

Newbiero is a worm virus spreading through local area networks. This worm has a backdoor routine that allows a 'master' (the person controlling the worm) to monitor infected machines.
The worm itself is a Windows PE EXE file about 160Kb in size, written in Microsoft Visual C++.
When run the worm installs itself into the system, copies itself to the Windows system directory with a random name (for example, AGCMJL.EXE or CBICAR.EXE) and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft Diagnostic = %worm random EXE name%
Newbiero then deletes its original EXE file (from where it was run).
The worm also creates the MSSE.INI file in the Windows system directory and uses this file as an infection flag while spreading through the local area network.
Spreading
To infect the local network the worm scans local network IP addresses and tries to connect to machines it finds by mapping the hard drives. If a successful connection occurs the worm copies itself the hard drive with the name:
WINDOWSStart MenuProgramsStartUpmssg.exe
If Windows is installed in a directory with a different name, the infection procedure fails to spread the worm.
Backdoor
The backdoor routine provides remote control to:

download to the infected machine other EXE files and run them
run local EXE files
exit Windows, reboot the machine, logoff users
perform DoS (Denial of Service) attacks, thus the worm has DDoS ability
report RAS information from the affected machine (logins and passwords)
Additional Information
The worm tries to terminate the following firewalls:
Sygate Personal Firewall
Tiny Personal Firewall
ZoneAlarm Pro
ZoneAlarm
If the "c:logging.ini" file contains any content the worm creates .log files where it writes different reports about its actions. Such .log files are:

c:logsmisc.log
c:logsIPreport.log
c:logsips.log
c:logs ecived.log
c:logsyey.ini
c:logsscan.log
c:logsinfections.log
c:logsservmsg.log
c:logsFetchreport.log
c:logsopt.abc
c:logsabc.cba
c:online.log

I-Worm.NewLove

Description I-Worm.NewLove

This is an extremely dangerous variant of the "LoveLetter" Internet worm. Just as with its forerunner "LoveLetter", the "NewLove" worm is written in Visual Basic Script language and spreads as a VBS file with a random name. The worm installs itself into the system, gains access to the MS Outlook address book, and sends itself to all addresses listed in there.
The infected message subject begins with "FW:" and is completed with a random text up to 30 characters in length and random extension from the following list:
Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt

This also serves as the name of the attached file, for example:
FW: VPAVQXCUUNGUFLTJSLNAUTQZXJUG.Bmp
FW: QKUPLSXOOIBPAGNENGIVPN.Mp3
FW: TNXSOVARRLESDJQHQJLYSQNWV.Mdb
FW: HBLHCJOFFZS.Mdb
FW: MGQMHOTKKEXLWCJAJ.Doc
FW: SMXSNUZRRKDRCJQGPIKXRQNWU.Mdb
FW: CWGCXE.Mp3
The message body is empty, and there is a VBS file attached with the same file name that is in the subject line, but with an added ".VBS" extension. Depending on the system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as shown above (with no "FW:").
When the attached file is activated (by double clicking, for example), the worm sends its copies to all addresses from the MS Outlook address base.
The worm then destroys the computer. It scans all local and mapped disk drives and replaces all files with its copy, and adds the ".VBS" extension to file names (for example COMMAND.COM becomes COMMAND.COM.VBS). As a result, all files on all accessable drives are totally destroyed.
Because of this, the worm is able to spread just once - it sends its copy to all availabe addresses and then destroys the computer.
The worm is able to spread only in the instance that MS Outlook is installed in the system. The worm payload routine is activated independent of the e-mail system installed on the computer. In the case that there is another e-mail system installed, the worm does not send infected e-mails, instead destroying all files on the computer.
The worm is polymorphic. Upon each infection, it inserts random comments into its code. The worm does this each time it spreads, and as a result, its size grows depending on its generation (about 60% of the current size), for example:
1st generation: 110Kb
2st generation: 248Kb
3st generation: 403Kb
4st generation: 585Kb
5st generation: 805Kb
6st generation: 1040Kb
e.t.c.
The "pure" worm code is just about 5Kb in size.
Protection for this type of worms has already been released by Kaspersky Lab. The "AVP Script Checker" protects the system against the new worm and prevents infection. We strongly recommend you download "AVP Script Checker" from our Kasperky Lab Web sites.

Home