Details
I_Owe.261

It is a dangerous memory resident parasitic virus. It infects only the IO.SYS file. While infecting the virus scans the header of IO.SYS for the area that contains only the zero bytes, and writes itself into there, if such area exist.
While loading from infected system the virus copies itself into the video memory, hooks INT 1Ah, waits for DOS loading, then it hooks INT 21h and overwrites C:\IO.SYS on first call to DOS functions. Then the virus removes itself from the memory.
The infection method is very unusual one, and it may halt the system. The virus can spread only while loading from infected floppy disk, and it infects only IO.SYS on C: drive. The virus contains the text strings:
C:\IO.SYS
I OWE
-=Q=-

Details
I_Love_DOS.3618

It is a dangerous(?) memory resident parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. The virus does not infect the files:
AVG AVGW AVGSYS SCAN CLEAN ASTA VSAFE MSAV TURBO WIN BP TRAP TBAV TBDRIVER VCOP GUARD VS 286 386 CHKDSK
Depending on the system date the virus manifests itself by a sound and video effect, corrupts(?) the CMOS and displays the messages:
CMOS
Your computer will be need a psychiatristall
DEAD

The virus also contains the text strings:
IOSYS
COMSPEC=
EXECOM
I love MS-DOS !

Details
I_am.635

It is not a dangerous nonmemory resident parasitic polymorphic virus. It searches for COM files and writes itself to the end of the file. When executed it displays the message:
– I am virus ! –

Details
I-Worm.Zoher

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file 6.6Kb in length, and it is written in Assembler.
The infected messages contain:
Subject: Fw: Scherzo!
Attachment: javascript.exe

The message body is long, and it is written in Italian (see it below).
To run from an infected message, the worm uses a security breach (IFRAME vulnerability, similar to that one used by the “Nimda” worm). So the worm may be activated from an infected e-mail by simply reading or previewing the message.
The worm does not install itself to the system and is not activated anymore (except cases when a user opens an infected e-mail twice or more).
To send infected messages, the worm uses a direct connection to the default SMTP server. To obtain e-mail addresses, it scans the WAB database.
To send an infected message with an attached file, the worm downloads a message image from the http://banners.interfree.it site. As a result the worm author can upgrade it with new versions, or force existing worm copies to send other malicious code.
The message body appears as follows:

Con questa mail ti e stata spedita la FortUna; non la
fortuna e basta, e neanche la Fortuna con la F
maiuscola, ma addirittura la FortUna con la F e la U
maiuscole. Qui non badiamo a spese. Da oggi avrai
buona fortuna, ma solo ed esclusivamente se ti liberi
di questa mail e la spedisci a tutti quelli che conosci.
Se lo farai potrai:
- produrti in prestazioni sessuali degne di King Kong
per il resto della tua vita
- beccherai sempre il verde o al massimo il giallo ai semafori
- catturerai tutti e centocinquantuno i Pokemon incluso
l’elusivo Mew
- (per lui) quando andrai a pescare, invece della solita
trota tirerai su una sirena tettona nata per sbaglio con gambe umane
- (per lei) lui sara talmente innamorato di te che ti
come una sirena tettona nata per sbaglio con le gambe
Se invece non mandi questa mail a tutta la tua list
entro quaranta secondi,allora la tua esistenza diventera
una
grottesca sequela di eventi tragicomici, una colossale
barzelletta che suscitera il riso del resto del pianeta,
e ticondurra ad una morte orribile, precoce e solitariaall
No, dai, ho esagerato: hai sessanta secondi.
Cascaci: e’ tutto vero.
Puddu Polipu, un grossista di aurore boreali
cagliaritano, spedi’ questa mail a tutta la sua lista
ed il giorno dopo vinse il Potere Temporale della Chiesa
alla lotteria della parrocchia.
Ciccillo Pizzapasta, un cosmonauta campano che
soffriva di calcoli, si preoccupo di diffondere
questa mail: quando fu operato si scopri’ che i suoi
calcoli erano in realta diamanti grezzi.
GianMarco Minaccia, un domatore di fiumi del Molise
che non aveva fatto circolare questa mail,
perse entrambe le mani in un incidente subito dopo
aver comprato un paio di guanti.
Erode Scannabelve, un pediatra mannaro di
Trieste,non spedi a nessuno questa mail: dei suoi tre figli
uno comincio a drogarsi,
il secondo entro in Forza Italia
e il terzo si iscrisse a Ingegneria.

Details
I-Worm.Zircon.c

This is a worm virus spreading via the Internet in infected e-mails. The worm itself is a Windows PE EXE file about 12Kb in size, written in Assembler.
The infected messages contain the following information:
Subject: ‘Important’ or a Japanese language subject (17 variants)
Body: [empty]
Attach: patch.exe

The worm activates from an infected e-mail only when a user clicks on the attachment.
The worm does not install itself in the system and once run is no longer active - unless a user clicks on the attachment once again.
Spreading
To send out infected messages the worm reads the address of the default Outlook SMTP server from the registry and connects to it. Then the worm reads addresses from the Windows address book. It then sends messages to all addresses found in the Windows address book. If the recipient’s address ends with the string “.jp” the worm inserts a Japanese subject. If not it inserts the subject: “Important”.
The worm contains the text string:
XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX I-Worm.Japanize XXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX

Details
I-Worm.ZippedFiles (a.k.a. ExploreZip)

This is a virus-worm spreading via the Internet and local network. Usually it appears as a “Zipped_Files.Exe” file attached to an e-mail. This file itself is a Delphi executable file about 210Kb in length. Most of the file’s code is occupied by Delphi run-time libraries, data and classes, and just about 10Kb of code is “pure” worm code.
Upon execution, it installs itself into the system, then sends infected messages (with its attached copy) to addresses found in the e-mail Inbox. To hide its activity, the worm displays the following message:
Error
Cannot open file: it does not appear to be a valid archive. If this file is
part of a ZIP format backup set, insert the last disk of the backup set
and try again. Please press F1 for help.

Installing into the system
To install into the system, the worm copies itself to the Windows directory with the _SETUP.EXE name, and to Windows system directory with the EXPLORE.EXE name, for example:
C:\WINDOWS\_SETUP.EXE
C:\WINDOWS\SYSTEM\EXPLORE.EXE - not “EXPLORER.EXE”!

The worm then registers its copy in the Windows configuration files to force the system to execute it each time Windows starts up. To do this, the worm writes a “run=” instruction to Windows configuration files that points to one of the worm files - _SETUP.EXE or EXPLORE.EXE. Depending on the Windows version, this registration process can be made by Windows in two different ways: The worm registers itself either in a WIN.INI file (under Win95/NT), or in the system registry (in case of WinNT).
In the case of Win95/98, the WIN.INI file [windows] section is updated with a “run=” instruction:
WIN.INI file:
[windows]
run=[worm file name]

In the case of WinNT, the same registration procedure affects the registry key:
HKEY_CURRENT_USER
Software\Microsoft\Windows NT\Current Version\Windows: run=[worm file name]

Depending on the worm “status” and system conditions, the worm selects its file name from one of two possible variants - _SETUP.EXE or EXPLORE.EXE. It then may replace an existing value with a second one, and then return to the first name. So, there may be two variants of a “run=” instruction found:
run=_setup.exe
run=C:\WINDOWS\SYSTEM\Explore.exe or run=C:\WINNT\SYSTEM32\Explore.exe

The Worm in the System Memory
The worm then (being registered in the system) stays “memory resident,” and is active up to the moment the system shuts down. The worm’s task has no active window, and is not visible in the taskbar, but is visible in the task list (Ctrl-Alt-Del) with one of the names the worm uses to name their copies:
Zipped_files
Explore - not “Explorer”!
_setup

The worm does not check its copy already presented in the Windows memory, and as a result, there may be several worm instances found.
Being active as a Windows application, the worm runs four threads of its main process: the installation thread that copies worm files to the Windows directories and registers them, the Internet spreading thread and two file destroying threads.
Spreading by E-mails
The second, and most important, thread sends e-mail messages using any e-mail system based on standard MAPI (Messaging Application Program Interface) - MS Outlook, MS Outlook Express, etc. The worm knocks the installed e-mail system four times trying to log on with different MAPI profiles: a default one, Microsoft Outlook, Microsoft Outlook Internet Settings, and Microsoft Exchange.
Being connected to an e-mail, the worm monitors all arriving messages - in an endless loop, it scans the Inbox for messages, and replies to them. The reply message has the same Subject with a “Re” prefix, and the message body appears as follows:
Hi [recipient name]
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

The message ends with one of two signature variants depending on the worm’s success in locating the “sender name” in the e-mail fields:
bye.
sincerely [sender name]

The worm copy is attached to the message with a “Zipped_Files.Exe” name.
The worm does not reply to messages twice, and does not reply to its own messages. To detect already-infected messages, the worm marks them with a TAB character at the end of the Subject string. Each time the worm scans the Inbox for messages, it obtains the Subject field, goes to its end, and skips over the message if a TAB is found there. The worm also does not reply to all messages in the Inbox - only to unread messages.
It is necessary to note that both these conditions–replying to unread messages only and not replying to the same message twice–are optional in the worm’s infection routine. In the known worm version, both of them are hard-coded in the aforementioned way, but it is possible that the next worm version will answer all messages in the Inbox each time the worm infection thread gains control.
As a result, the process appears as follows: When the worm starts for the first time on a computer, it sends infected messages by using all unread messages found in the Inbox; it marks them as “infected” by using a TAB character and does not infect anymore; when a new message is received from the Internet and appears in the Inbox, it is immediately “answered” by the worm with the fake text shown above.
Spreading to a Local Network
The worm is able to spread over a local network, and is able to infect remote computers in the case when the Windows directory there is shared for reading and writing (full access). To do this, it enumerates network resources (shared remote drives), and looks for an WIN.INI file in there. In case this file is located, the worm copies its _SETUP.EXE file to this directory and modifies the configuration file there so that Windows on a remote computer will execute the worm file upon the next rebooting (see “Installingall” above).
Payload
The worm has an extremely dangerous payload. Each time it is executed, it runs two more threads that scan directory trees on the local and network drives; look for .C, .H, .CPP, .ASM, .DOC, .XLS, and .PPT (program source and MS Office files) and zeroes them. The worm uses a create-and-close trick that erases file contents and sets file length to zero. As a result, the files become unrecoverable.
As it is mentioned above, there are two file-killing threads: the first is active whenever the worm copy is active in the system until shutting down. In an endless loop, it scans all available drives from C: to Z: and corrupts the files listed above. The second thread is executed only once. It enumerates network resources (shared remote drives), scans them for the same files and also destroys them.

Details
I-Worm.Zafi.b

This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.
Installation
Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.
The worm registers this file as an entry in the system registry to be run every time the system is started:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“_Hazafibb”=”%system%\[file name]”
The worm creates the mutex _Hazafibb to flag its presence in the system.
This is to prevent multiple copies of the worm being run at the same time
It stops the following processes and deletes the files from disk:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
Propagation via email
The worm harvests email addresses from files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
It does not send messages to addresses which contain text from the list below:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
There is a range of text used in infected messages. The text is chosen according to the recipient’s domain name.
Domain .hu
Sender:
Anita
Message header:
Ingyen SMS!
Message body:
———————— hirdetÝs —————————–

A sikeres 777sms.hu Ýs az axelero.hu tÓmogatÓsÓval jra
indul az ingyenes sms k?ld? szolgÓltatÓs! Jelenleg ugyan
korlÓtozott szÓmban, napi 20 ingyen smst lehet felhasznÓlni.
K?ldj te is SMST! NehÓny kattintÓs Ýs a mellÝkelt regisztrÓci?s
lap kit?ltÝse utÓn azonnal igÝnybevehet?! B?vebb informÓci?t
a www.777sms.hu oldalon talÓlsz, de siess, mert az els? ezer
felhasznÓl? k?z?tt ÝrtÝkes nyeremÝnyeket sorsolunk ki!

———————— axelero.hu —————————
Attachment name:
regiszt.php?3124freesms.index777.pif
Domain .sp
Sender:
Claudia
Message header:
Importante!
Message body:
Informacion importante que debes conocer, -
Attachment name:
link.informacion.phpV23.text.message.pif
Domain .ru
Sender:
Katya
Message header:
Katya
Message body:
DAúADAOIUå OEIEøIEãU, ÐÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ, ÁÎÁÌØÎÁÑ ÍÁÓÔÕdÂÁÃÉÑ,
dÕËÁ × ÁÎÕÓÅ É ×ÓÅ ÉÚ×ÅÓÔÎÙÅ ÐÏÌÏ×ÙÅ ÉÚ×dÁÝÅÎÉÑ.
IÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ dÁÚ×dÁÔÎÙÅ oËÏÌØÎÉÃÙall
Attachment name:
view.link.index.image.phpV23.sexHdg21.pif
Domain .dk
Sender:
Eva
Message header:
E-Kort!
Message body:
Mit hjerte banker for dig!
Attachment name:
link.ekort.index.phpV7ab4.kort.pif
Domain .ro
Sender:
Marica
Message header:
Ecard!
Message body:
De cand te-am cunoscut inima mea are un nou ritm!
Attachment name:
link.showcard.index.phpAv23.ritm.pif
Domain .se
Sender:
Anna
Message header:
E-vykort!
Message body:
Till min Alskade…
Attachment name:
link.vykort.showcard.index.phpBn23.pif
Domain .no
Sender:
Erica
Message header:
E-Postkort!
Message body:
Vakre roser jeg sammenligner med deg…
Attachment name:
link.postkort.showcard.index.phpAe67.pif
Domain .fi
Sender:
Katarina
Message header:
E-postikorti!
Message body:
Iloista kesaa!
Attachment name:
link.postikorti.showcard.index.phpGz42.pif
Domain .lt
Sender:
Magdolina
Message header:
Atviruka!
Message body:
Linksmo gimtadieno!
Attachment name:
link.atviruka.showcard.index.phpGz42.pif
Domain .pl
Sender:
Beate
Message header:
E-Kartki!
Message body:
W Dniu imienin…
Attachment name:
link.kartki.showcard.index.phpVg42.pif
Domain .pt
Sender:
Eva
Message header:
Cartoe Virtuais!
Message body:
Te amo…
Attachment name:
link.cartoe.viewcard.index.phpYj39.pif
Domain .de
Sender:
Alice
Message header:
Flashcard fuer Dich!
Message body:
Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr…
Attachment name:
link.flashcard.de.viewcard34.php.2672aB.pif
Domain .nl
Sender:
Eva
Message header:
Er staat een eCard voor u klaar!
Message body:
Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs…
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs…
Attachment name:
postkaarten.nl.link.viewcard.index.phpG4a62.pif
Domain .cz
Sender:
Hanka
Message header:
Elektronicka pohlednice!
Message body:
Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz

Attachment name:
link.seznam.cz.pohlednice.index.php2Avf3.pif
Domain .fr
Sender:
Claudine
Message header:
E-carte!
Message body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l’adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct…
Attachment name:
link.zdnet.fr.ecarte.index.php34b31.pif
Domain .it
Sender:
Francesca
Message header:
Ti e stata inviata una Cartolina Virtuale!
Message body:
Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment name:
link.cartoline.it.viewcard.index.4g345a.pif
Domain .mx
1.
Sender:
Jennifer
Message header:
You`ve got 1 VoiceMessage!
Message body:
Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment name:
link.voicemessage.com.listen.index.php1Ab2c.pif
2.
Sender:
Anita
Message header:
Soxor Csok!
Message body:
Szia!

Aranyos vagy, j? volt dumcsizni veled a neten!
RemÝlem tetszem, Ýs szeretnÝm ha te is k?ldenÝl kÝpet
magadr?l, addig is cs?k:
Attachment name:
anita.image043.jpg.pif
Domain .at
1.
Sender:
Anita
Message header:
Tessek mosolyogni!!!
Message body:
Ha ez a kÝp sem tud felviditani, akkor feladom!

Sok puszi:
Attachment name:
meztelen csajok fociznak.flash.jpg.pif
2.
Sender:
Jennifer
Message header:
Don`t worry, be happy!
Message body:
Hi Honey!

I`m in hurry, but i still love ya…
(as you can see on the picture)

Bye - Bye:
Attachment name:
www.ecard.com.funny.picture.index.nude.php356.pif
For all other domains, the message will be as follows:
Sender:
David
Message header:
Check this out kid!!!
Message body:
Send me back bro, when you`ll be done…(if you know what i mean…)

See ya,
Attachment name:
jennifer the wild girl xxx07.jpg.pif
Propagation via local and file-sharing networks
The worm copies itself to all folders where the folder name contains the words:
share
upload
The name of the worm file will be chosen from the following list:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
Other
It creates the file sys.txt in the root catalogue of the C: disk.
It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.
It also attempts to conduct DoS attacks on the following sites:
www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu

Details
I-Worm.Zafi

This worm spreads via the Internet as an attachment to infected messages. It is 11776 bytes in size.
Characteristics of infected messages
Sender:
kepeslapok@meglep.hu
Message body:
Tisztelt felhasznalo!

Onnek kepeslapja erkezett!
A kepeslap feladoja: Leva
A lapot az alabbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellekelt internetlink kattintasaval.

Udvozlettel: Matav e-card!
http//www.netezz.matav.hu/
Attachment name
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv255
Propagation
The worm searches disks C, D, E, F, G, H for files with the following extensions, and harvests email addresses from these files:
adb
asp
avi
bmp
cab
com
dbx
dll
eml
exe
gif
htm
ico
iso
jpg
lnk
mbx
mp3
mpg
php
pk3
pmr
rar
sht
swp
tbb
txt
vxd
wab
wav
wmv
zip

If any of the words listed below are found in an address, the address will be ignored.
anti
avp
f-prot
gov
hotmail
microsoft
norton
panda
trendmicro
vir
Installation
The worm creates the following keys in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
The key value is a link to a copy of the worm in the system directory. The file name is randomly generated by the worm.
[HKLM\Software\Microsoft\Hazafi]
The key values of R1 - RA are the user name, user email, links to a copy of the worm in the system directory and links to the files which contain the email addresses harvested by the worm. All file names are randomly generated by the worm.
Other
Immediately following launch, the worm checks the current system date. If the local system date is 01.05.2004, the following dialogue box will be displayed. The worm will not work after 02.05 2004.

The worm terminates the following processes:
dfw.exe
fsav32.exe
fsbwsys.exe
fsgk32.exe
fsm32.exe
fssm32.exe
fvprotect.exe
mcagent.exe
navapw32.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netarmor.exe
netinfo.exe
netmon.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
outpost.exe
pccguide.exe
pcciomon.exe
regedit.exe
regedit32.exe
taskmgr.exe
tnbutil.exe
vbcons.exe
vbsntw.exe
vbust.exe
vsmain.exe
vsmon.exe
vsstat.exe
winlogon.exe
zonalarm.exe

Details
I-Worm.Yarner

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 434Kb in length, and it is written in Delphi. The worm was discovered on 18-19 February 2002, and it has a very dangerous payload.
The infected messages have the original sender’s e-mail address or fake sender address in the “From” field.
“True” e-mail: Trojaner-Info [%TrueEmail%]
Fake e-mail: Trojaner-Info [webmaster@trojaner-info.de]
Other data in messages appears as follows:
Subject: Trojaner-Info Newsletter %CurrentDate%
Attachment: yawsetup.exe
where %CurrentDate% is the current date, for example, “18.02.02″, “19.02.02″.
Body:
Hallo !

Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:

1. YAW 2.0 - Unser Dialerwarner in neuer Version

************************************

1. YAW 2.0 - Unser Dialerwarner in neuer Version
Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
unter andreas@ants-online.de zur VerfØgung. Viel Spañ mit YAW!

************************************

Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
angenehme Woche.

Mit freundlichem Gruss

Thomas Tietz & Andreas Ebert

************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
entsprechende E-Mail.
************************************

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs a spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows directory with up to 100 symbols and a random .EXE name and registers this file in the system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %RandomText% = %WormName%
where %WormName% is the worm copy name, and %RandomText% is another up to 100 symbols of a random string, for example:
ddfUdEDshaSEYadkWBUdFrnKlFWReyHQpTWCqMkkTRhHoIqHMZugxnPTXF.exe
The worm then renames the NOTEPAD.EXE file in the Windows directory with NOTEDPAD.EXE and replaces the original NOTEPAD.EXE with its copy. Thus, the worm creates its additional copy, and will start again when a text file is being opened with Notepad.
The worm also creates two additional files in the Windows directory with the following names:
kerneI32.daa - the worm writes victim e-mails to there
kerneI32.das - the worm writes known SMTP servers to this file
Spreading
To send infected messages, the worm uses a direct connection to the default SMTP server.
The worm obtains victim e-mail addresses in two different ways: First, it gains access to the MS Outlook address book and obtains all e-mail addresses from there. Next, the worm scans all .PHP, .HTM, .SHTM, .CGI, .PL files in all subdirectories in the Windows directory and obtains all e-mails from there.
Payload
After successfully sending an infected e-mail, the worm, in one case in ten, deletes all files on a drive where Windows is installed.

Details
I-Worm.Yanker
Yanker is a very dangerous multicomponent worm-virus that spreads through via the internet as an RAR archive attached to infected emails.
Infected emails contain:
Subject: Hi,my new webpage ;o)
E-mail body: Hi:
Here is my new webpage.Please check it,and give Me some Advice.
Attachment name: webpage.rar

The RAR archive contains the file webpage.htm and a subcatalogue named images where the main components of this virus are stored:
folder.htt (controls MS Explorer file and folder display settings - attributes: system/hidden)
main_59.exe (dropper file, written in Delphi, packed by UPX (57KB), attributes: system/hidden)
main_60.exe (PSW.PassDumper, packed with UPX (20k) - attributes: system/hidden)

The images folder also contains several harmless files in various formats, such as gif, css and more. These files are components of a webpage.
Installing,Spreading,Payload
After unarchieving the infected RAR file the yanker worm can gain control of a user’s system in two ways: when the webpage.htm file is opened or when the images folder is viewed using MS Explorer.
However, in both cases the yanker worm utilizes the same CodeBaseExec exploit, attached to the end of the files to launch itself. The file (program) main_59.exe runs without victim users being able to notice anything.
The main_59.exe program ascertains the current ip address of the infected computer and stores it in a txt file (ip.txt). Then it extracts and launches the worm’s main component yankee.vbs - a file 4KB in size and written using Visual Basic Script. Simultaneously, the worm checks the system registry for the follwing key string:

HKCU\SOFTWARE\yankee
yankee=1

If this string already exists, the worm ceases all activities.
The yankee.vbs script does the following:
Sends the ip.txt file with the infected computer’s IP address and all passwords found in the system (using PassDumper) to the following e-mail address:

xdvirus@peoplemail.com.cn

Sends its “webpage.RAR” archive to all the addresses found in the MS Outlook address book.
Writes the following key string into the Windows System Registry:

HKCU\SOFTWARE\yankee
yankee=1

Deletes all accessible non-system folders on hard and removable drives.

Details
I-Worm.XCod

This is Email/IRC worm. The worm body itself is Win32 PE EXE file written in VisualBasic. The worm has too many bugs to be described well.
It copies itself to:
C:\windows\install_.exe
C:\windows\system\sysboot_.exe
and registers itself in Registry keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command
“C:\windows\system\systray_.exe” %1 %*

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SystemTray = C:\Windows\system\systray_.exe
SystemTray = C:\Windows\system\sysboot_.exe
(the last line overlaps first one, so first line disappear in system registry).
HKEY_LOCAL_MACHINE\Software\Winsys\info
Program Name = X-Coderz
CurrentVersionNumber = X-Coderz.VBS.03.A
(it intends to write more lines to there, but fails).
The messages sent by Email (it also fails to do that) contain the INSTALL_.EXE attached file, the message text and subject are selected from variants:
Hey
Hey, How Are Things? I’m Writing This E-Mail To Let You Know Of An
Attachment Im Sending With The Next Mail You Will Probably Find. It Very
Useful. I did! See You Soon

Hey Its Me Again,Here You Go Its The Installation Program For An Adults
Only Explicit Screensaver (Pornographic)

Hey Its Me Again,Here You Go Its The Installation Program For An Outlook
Express Security Upgrade

Hey Its Me Again,Here You Go Its The Installation Program For A Microsoft
Explorer Patch V7.5 (Required For Many Sites)

Hey Its Me Again,Here You Go Its The Installation Program For A Cool Game
I Found On The Web, Try It!

Hey Its Me Again,Here You Go Its The Installation Program For An
Excellent MP3 Player With Plug-Ins LIMITED EDITION
To spread itslef throug IRC channels the worm affects the mIRC client in C:\Mirc directory. The worm writes (successfully) the SCRIPT.INI file with commands that send to IRC channels the worm copy with “installx2.exe” name, and send to there the message too:
You gotta see this. Talk about hard core, jesus!! This is kinky at its
bestall you gotta see this, just look at it!!
The worm deletes Norton Anti-Virus data files: C:\Program Files\Norton AntiVirus\*.dat
On June 22 the worm intends to display (but fails) the message box:
X-Coderz VBS Virus 0.3
X-Coderz Have Taken Control
then:
X-Coderz???
Remove Virus From Your System?
and then:
X-Coderz
FUCK YOU!!!!!!

Details
I-Worm.Xanax

This is an Internet worm that was found in the wild in the middle of March 2001. The worm spreads via e-mail by sending infected messages from affected computers through IRC channels by sending its copy there. The worm also infects EXE files in the Windows directory.
The worm itself is a Win32 application (PE EXE file) written in Microsoft Visual C++ language. The worm size is about 60K in length, but it was found in compressed form: the worm code was compressed by ASPack utility, possessing about 34K in length.
When the worm starts, it copies itself to the Windows system directory with two names: XANAX.EXE and XANSTART.EXE. The XANSTART.EXE file is then registered in Registry auto-run key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Default = %winsystem%\xanstart.exe
where %winsystem% is the name of the Windows system directory. As a result, the worm is run each time Windows starts up.
Infected E-mail
The worm then launches its e-mail spreading routine. To do this, the worm creates a temporary XANAX.VBS file (Visual Basic script), writes a VBS program there and starts it with the help of WSCRIPT.EXE. The VBS program gains access to the Outlook address book, and sends messages to the first 1,000 addresses from each of the address lists
Subject: Stressed? Try Xanax!
Body:

Hi there! Are you so stressed that it makes you ill? You’re not alone!
Many people suffer from stress, these days. Maybe you find Prozac too
strong? Then you NEED to try Xanax, it’s milder. Still not convinced?
Check out the medical details in the attached file. Xanax might change
your life!

Attachments: xanax.exe
Infecting EXE files
The worm then looks for EXE files in the Windows directory, and infects them. While infecting, the worm moves a victim file body down and writes itself to the file beginning. The worm does not infect files with names beginning with E, P, R, S, T, W.
IRC channels
Next, the worm infects the mIRC client if it is installed. The worm looks for the mIRC client in the following directories:
\mirc
\Program Files\mirc
on the C:, D:, E: and F: drives. If the mIRC client exists, the worm overwrites the SCRIPT.INI mIRC script file with a program that sends the worm’s copy to everybody who joining the infected channel.
Other Comments
When the worm is run from a file with name with the letter ‘R’ as the next to last one in a file name (xxxRx.EXE), it displays the following message:

The exact name as this contains the worm’s file XANSTART.EXE that is registered in the system Registry auto-run key. So, the worm displays this message upon each Windows start-up.
The worm also creates more files in the system:
Windows system directory: HOSTFILE.EXE

Windows directory: WINSTART.BAT, XANAX.SYS
The HOSTFILE.EXE remains after running an infected host file, and this file contains a pure (not infected) body of last infected file run.
The XANAX.SYS file contains the text:
Win32.HLLP.Xanax (c) 2001 Gigabyte
The WINSTART.BAT file contains commands that display the message:
Do not take this medication with ethanol, Buspar (buspirone), TCA antidepressants, narcotics, or other CNS depressants. This combination can increase CNS depression. Be sure not to take other sedative, benzodiazepines, or sleeping pills with this drug. The combinations could be fatal. Do not smoke or drink alcohol when taking Xanax. Alcohol can lower blood pressure and decrease your breathing rate to the point of unconsciousness. Tobacco and marijuana smoking can add to the sedative effects of Xanax.

Details
I-Worm.Winevar

This is the worm virus spreading via the Internet being attached to infected emails. The worm was found in-the-wild in Korea at the end of November 2002.
The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++. Most of text strings in worm body are encrypted.
Installing
While installing the worm copies itself to Windows system directory with the random selected name:
WIN%rnd%.PIF
where %rnd% is random number, and registers that file in system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
There are two values written to all those keys:
.default = %worm file name%
%worm name% = %worm file name%
where %worm name% is worm file name without extentions, %worm file name% is full file name, for example:
.default = “C:\\TEMP\\WIND2C2.pif”
“WINA2B3″ = “C:\\WINDOWS\\SYSTEM\\WINA2B3.pif”
It seems that “.default” duplicate is written to registry key because of a bug in worm code.
Later the worm also copies itself with EXPLORER.PIF name to the Desktop.
Spreading
To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses from there except emails that have “@microsoft.” part in email address. To send infected messages the worm uses direct connection to default SMTP server.
While sending itself the worm appends to its copy following information:
- country region ID (for example: [KOR], [RUS] - for Korea and Russia)
- current date and time
- user name and company name (as it is stored in registration information)
By using these data that is possible to trace particular worm copy “migration” process.
The infected messages have different data in email fields. Below the %RegisteredOwner% and %RegisteredOrganization%

Subject is randomly (depending on worm “generation”) selected from variants:
Re: AVAR(Association of Anti-Virus Asia Reseachers)
N’4 %RegisteredOrganization%
N’4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no “RegistreredOrganization” key in system registry. The “N`4″ combination is not decrypted “Re:” string, it seems that the worm author just forgot to decrypt that string in corresponding routine.
The message body is also selected depending on worm generation:
%RegisteredOwner% - %RegisteredOrganization%
or:
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.
Attached file names can be different, for example:
MUSIC_1.HTM, MUSIC_2.CEO
WIN40B1.TXT, WIN40B1.GIF
Where “WIN” names have random number at the end (in this case - “40B1″). At the same time depending on email client the appearence of these attached files in the infected message may be different.
To run from infected message the worm uses two security breaches:
Microsoft VM ActiveX Component
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Payload
The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as well as to kill their files. In some cases (in all cases?) if an anti-virus is found, the worm erases all files on all drives, probably because of a mistake in its code.
The worm drops to Windows system directory “WIN%Rnd%.TMP” file, writes “Win32.Funlove” virus to there and executes this file. Thus the worm infects the machine with “Win32.Funlove” virus.
The worm displays the message:
Make a fool of oneself
What a foolish thing you have done!
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm tries to run DoS attack on that server).
The worm also has following encrypted text strings:
~~ Drone Of StarCraft~~
http://www.sex.com/

Details
I-Worm.Win32.Fasong
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%rndname%.EXE = %rndname%.EXE

for example:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GMLKU.EXE = C:\UTIL\GMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCR\chm.file\shell\open\command (default value = “hh.exe” %1)
HKCR\exefile\shell\open\command (default value = “%1 %*”)
HKCR\inifile\shell\open\command (default value = “notepad.exe %1″)
HKCR\regfile\shell\open\command (default value = “regedit.exe %1″)
HKCR\scrfile\shell\open\command (default value = “%1 /S”)
HKCR\txtfile\shell\open\command (default value = “notepad.exe %1″)

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLM\Software\Microsoft\Windows\CurrentVersion\win70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share

Details
I-Worm.Welyah.a

This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected attached files, as well as sends files from a local computer to steal information from infected systems, and the worm has destructive actions. The worm was discovered in-the-wild in December 2001.
The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gets control through an IFRAME security breach), the worm’s code takes control. First of all, it drops (installs) its components to the system and registers in the system registry.
While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINL0G0N.EXE = \WINL0G0N.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINL0G0N.EXE = \WINL0G0N.EXE
Spreading
To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains an SMTP address from the system registry or uses the following predefined address:
210.177.111.18
Victim e-mail addresses are obtained from the files in the local disks. The file list is as follows:
“*.eml”,”*.wab”,”*.dbx”,”*.mbx”,”*.xls”,”*.xlt”,”*.mdb”
Next, the worm sends infected messages. The message body is in HTML format, and exploits an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are:

Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt

The worm stores an e-mail list of its victim in the file emailinfo.txt. While spreading, it stores its dropper in the file email.txt
Sending files from a local computer
The worm looks for files in the subdirectories of the local disks. The file list is:
“tree.dat”,”smdata.dat”,”hosts.dat”,”sm.dat”
It sends them to the ftp server “ftphd.pchome.com.tw” for the users from the list:
shit0918, shit530, shiu58, shoho2, shoo2206
Destructive actions
The worm deletes all files in the current directory. It can delete files in the Windows root directory after rebooting.