Details
I-Worm.Wargam

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 77Kb in length (encrypted by ASProtect EXE files protection utility), and written in Borland C++.
The infected messages have one of the three following variants of the Subject/Body/Attached file:
Subject: Mail to %RecipientEmail%
Body: I send you this patch.
It corrects a bug into Internet Explorer and Outlook.
Attachment: patch.exe
or

or

The worm activates from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory twice with the “article.doc.exe” name and with a random “.exe” name (like WVUUQ.EXE), and then registers the latter file in:
under Win9x: WIN.INI file, [windows] section, “run=” command
under WinNT: system registry Run= key.

The worm also creates additional registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WarGames Worm
DisplayName = Wargames Uninstall
UninstallString = rundll32 mouse,disable

The worm also looks for several programs and attempts to terminate their processes. In this list there are anti-virus programs, as well as a few wildspread viruses:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE
KERN32.EXE
SETUP.EXE
RUNDLLW32.EXE
GONER.SCR
LOAD.EXE
INETD.EXE
FILES32.VXD
SCAM32.EXE
GDI32.EXE
_SETUP.EXE
EXPLORE.EXE
ZIPPED_FILES.EXE

Spreading
To send infected messages, the worm uses three different ways (and sends messages of three different types – see above).
First, the worm scans *.HT*, *.DOC and *.XLS files in the Windows directory in a user’s Personal, Desktop, Favorites and Internet Cache directories, looks for e-mail addresses in there and then sends infected messages to these addresses.
Next, the virus creates the “wargames.vbs” file in the Windows directory, writes a VBS script to there and runs it. The scripts sends infected messages to all addresses from the MS Outlook Address Book.
At the end, the worm, by using Windows MAPI functions, connects to the incoming e-mail box and “answers” all the messages from there.

Details
I-Worm.Wallon.a

Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:

When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
“Wh” = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server.

Details
I-Worm.Vybab

This worm spreads via the Internet as an attachment to infected messages. It can also infect EXE files.
It is a PE EXE file written in Borland Delphi and is approximately 140 KB in size.
Installation
When installing itself to the system, the worm creates a file named 123.txt in the Windows directory. This file contains the following text string:
babyv ; made of Ran
It also creates files in the root directory and the Windows directory. The names of these files are created from three random characters and one of the following extensions:
bat
exe
htm
rar
doc
xls
These files do not contain the body of the worm.
The worm copies itself to a temporary file named seeyou.rar in the C:\ root directory.
It also creates a file named echo.vbs in the Windows temporary directory. This file contains the script which enables the worm to propagate via email.
Propagation via email
Each time the worm or one of the infected files is launched, the worm sends itself to all addresses in the MS Outlook address book. Infected emails have the following characterstics:
Message header:
Microsoft Pack3, ;o)
Message text:
Hi:
This is Microsoft client server center
Check This!
Infecting EXE files
When the worm is launched for the first time, it infects EXE files located in the Program Files directory, and in the directory which the worm was launched from. It writes itself to the beginning of those files.
After this the worm searches all directories on all accessible drives and infects all EXE files found.
When an infected file is launched, the virus copies itself into the root directory of every available drive and sends itself via email. The original uninfected file is saved in the Windows temporary directory and will re-establish control once the worm finishes the infection process.

Details
I-Worm.Vote

This Internet worm spreads via e-mail messages using MS Outlook. Upon being executed, the worm sends infected messages to all addresses stored in the Outlook address book, then it overwrites all HTML files on the local disk drives. Upon the next Windows start-up, the worm tries to delete all files in the Windows folder, and reboots the computer.
The worm arrives to a computer as an e-mail message with an attached executable file that is the worm itself. The malicious message contains the following:

The worm doesn’t run automatically from e-mail. It is activated only when a user starts it manually (by double-clicking on the attachment).
Upon being executed, the worm sends infected messages to all addresses stored in the Outlook address book. Then it opens two Internet browsers utilizing sites that are closed at the moment. Also, it replaces the Internet Explorer start-up page with one of its own. Following this, the worm drops two different VBS files.
The first one is named “MixDaLaL.vbs” that the worm creates and runs immediately in the Windows folder. This file has a script program that searches for files with HTM and HTML extensions on all removable and local hard drives, and overwrites them with a short text:
AmeRiCa allFew Days WiLL Show You What We Can Do !!! It’s Our Turn >>> ZaCkEr is So Sorry For You
The second VSB file the worm drops into the Windows system folder with the name, “ZaCker.vbs”, and registers it in the auto-run registry section. This means the file will be automatically executed upon the next Windows start-up. Upon being executed, it attempts to delete all files in the Windows directory, overwrites AUTOEXEC.BAT with a command destroying all data on drive C:, and then it displays the following message:

The worm finally reboots the computer. As a result, the system may be rendered unbootable or all data may be destroyed.

Details
I-Worm.Voltan (aka Zelig)
Voltan is an Internet worm spreading via the email addresses stored in Windows address books.
Il momento e’ catartico
Messages to beware of have the following body text:
Ricevo e cortesemente inoltro,all. un premio per la genialita
hanno reso mitico un salva schermo scaricalo, “poesie
catartiche”, che
non sai cosa ti perdi

ciao
There is a link to a web site where a copy of the Voltan worm resides.
Additionally, the worm replaces the screen saver with a scrolling text line stating:
A volte ti sento cosi vicina…A volte ti sento cosi
lontana…Certo che hai proprio un cellulare di merda!
The worm is a Windows executable file about 36 KB in size when compressed with ASPack. The uncompressed size is about 70KB. Voltan is unable to function in the operating system environments of Windows 95, 98, ME, and NT4.

Details
I-Worm.Valcard

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 97Kb in length (compressed by UPX, about 132K when decompressed), and it is written in Visual Basic.
Spreading
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book. The infected messages appear as follows:
The Subject is randomly selected from the following variants:
Secret Admirer
Somebody Loves You
Romance from Afar
Love at first sight
allwhen sleepers wake and yet still dream…
Be Mine ?!
Yours Always
Happy Valentines
From Me To You
Thy eternal summer shall not fade
I can express no kinder sign of love, than this kind kiss
Poetry is an echo, asking a shadow to dance
O, beauty, till now I never knew thee!
Romantic gesture
Good night, sweet prince, and flights of angels sing thee to thy rest
The message Body, followed by a “user name”, is selected from the following variants:
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.
Febuary Feelings
It’s that time of year again.
But I’m still only sedning a card to you.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.
Hi
I feel like a child sending you this card
but I just had to do it.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.
…and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Happy Valentines
I hope you like the card I’ve attached,
In this life we cannot do great things.
We can only do small things with great love.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.
Attachment: ValentineCard.exe
Installing
The worm activates from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs a spreading routine and payload.
While installing, the worm copies itself to the Windows system directory with the “ValentineCard.exe” name, and registers that file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run 14th = %SystemDir%\ValentineCard.exe
where %SystemDir% is Windows system directory.
Payload
Upon being installed, the worm writes a “not a first run” registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion Valentine = true
and then operates depending on this key’s presense. Because of a bug, on any run (first run, second run,…), the worm does the same thing: it creates “C:\evil.jpg”, writes sound data to there and opens it. Because the file has a wrong extension (“.jpg” picture, not “.wav” sound), the system fails to accept it. In case this file is renamed to “.wav”, it plays the “Somebody loves you” phrase.
The worm should also (but fails) create the “C:\1.wav” file, and open its window. The worm’s program window should have a moving title:
I Love You !
on the “About” button, it should display the following message:
Flash Player
Flash Player 4.0
Copywrite (C) 1996-1999 Macromedia, Inc.

http://www.macromedia.com

On Thursdays, the worm should (but fails) restart Windows.

Details
I-Worm.Updater.a

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 12Kb in length, and it is written in Visual Basic (VB6). It is packed by the UPX program. After unpacking, it is 45 Kb in size.
The worm activates from an infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs a spreading routine and payload.
The infected messages have different texts and attached file names, they are randomly selected by the worm while spreading from the following variants:
Subjects:
Part1 + Part2 + Part3 + Part4
Part1 = “Have you “, “You Should “, “Just “, “Why Not you “, “How to “, “Re: “, “Fwd : “, ” ”
Part2 = “Check “, “Check out “, “Watch out “, “Open “, “Look at ”
Part3 = “this “, “my “, “For this “, “The ”
Part4 = “Picture”, “Program”, “Patch”, “Nude pic”, “Report”, “Documment”, “Quotation”, “Transaction”, “Bank Account”, “WTC Tragedy”, “Osama Vs Bush” “Account”, “Private Pic”

Examples:
You Should Look at this Osama Vs Bush
Fwd : Check my Patch

Attachment filenames:
“Setup.EXE”, “install.exe”, “Readme.exe”, “Files.exe”, “Picture.exe” “Quotation.Doc.exe”, “Letter.Doc.exe”, “Picture.jpg.exe”
Body:
Hi:
This is the file you ask for, Please save it to disk and open this file, it’s very important.
Sample message:

Installation
While installing, the worm copies itself to the C:\WINDOWS\ directory with the UPDATE.EXE name, and registers that file in the system-registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Update = C:\WINDOWS\Update.exe
The worm then displays the following fake error message:

Payload
The worm creates the file C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\Update.vbs. This script file starts automatically after rebooting a system under Windows 9x/ME. It looks for files on all drives with the following extensions: EXE, DOC, TXT. It creates script copies with the same names plus the extra extension “.vbs”. For example:
MPLAYER.EXE.vbs
NOTEPAD.EXE.vbs

This script file contains the strings:
I-WORM.IMELDA.B
(C)2001, by Iwing
Virusindo – Indonesian Virus Network
http://indovirus.8m.com , IRC Dalnet #indovirus

The worm changes the volume label on disk C:, then the IMELDA
The worm also copies itself to the C:\WINDOWS\ directory with one of the following names:
“Setup.EXE”, “install.exe”, “Readme.exe”, “Files.exe”, “Picture.exe” “Quotation.Doc.exe”, “Letter.Doc.exe”, “Picture.jpg.exe”

Details
I-Worm.Unis.a

This is Internet worm spreading with emails (as attached file) and through IRC channels. The worm is also able to affect RAR archives, it appends its code to RAR archives contents.
The worm functionality is based on so-called “plugins”. The main worm component (Win32 EXE file about 12K of length) that is sent with emails and to IRC channels is just a “loader” that connects to a Web page and gets more worm components (plugins) from there, and then executes them. So, the worm functionality is completely dependent on plugins. There are five plugins known at the moment.
There Web page address depends on worm versions. There are addresses known at the moment:

http://hyperlink.cz/benny/viruses/

http://shadowvx.com/benny/viruses/

All known worm components (main EXE file and plugins) are compressed with TeLoc Win32 PE EXE files compressor.
The worm code has many bugs and infected files halt the system in most of cases and fails to send its copies to Inet. So, the worm has very few chances to be discovered in-the-wild.
Main Component
When main worm EXE file is executed (from attached email file, for example), it stays in the system as a service (hidden application), copies itself to Windows system directory with the MSVBVM60.EXE name (do not mix it up with MSVBVM60.DLL Windows VisualBasic library) and registers this copy in Windows auto-run registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The worm then gets connection to “http://hyperlink.cz/benny/viruses” Web page (somewhere in Czech republic) or to another one (depending on worm version), gets its plugins from there (the plugins are listed in special file at that site) and stores them in Windows system directory with names:
MSVBVM6A.DLL
MSVBVM6B.DLL
MSVBVM6C.DLL
MSVBVM6D.DLL
e.t.c.
These plugins are encrypted by Windows RSA crypto library, so the worm first decrypts them and then activates.
The worm then “sleeps” for some time (randomly selected – up to 5 minutes), and repeats all that again.
The main worm component contains the text:
[I-Worm.Universe] by Benny/29A
“Payload” Plugins
This plugins depending on system timer calls one of three procedures:
1. Affects MS Explorer: it sets default start, local, “what’s new” and search pages to “http://www.therainforestsite.com”
2. Gets the UNIVERSE.JPG file from worm’s Web site and registers it as Windows desktop WallPaper.

3. Messes up the Desktop – randomly moves the blocks of it.
“Feedback” Plugin
This plugins reports about infected machine: it sends the report to email address which are different in different plugin’s version:
benny_29a@hushmail.com
auto129742@hushmail.com
The report contains the Inet name of infected machine and the date&time of infection.
“Mail” Plugin
This plugins scans all HTML files in Internet cache directory, gets Inet addresses from there and sends messages to these addresses. The messages have the fields:
From: “Microsoft Support” [support@microsoft.com]
Reply-To: “Peter Szor” [pszor@symantec.com]
To: “Mikko Hypponen” [mikko.hypponen@f-secure.com]
Subject: Virus Alert
Attached file name: uniclean.zip
Text:

Dear user
F-Secure, Symantec and Microsoft, top leaders in IT technologies have discovered one very dangerous Internet worm called I-Worm.Universe in the wild. Author of this viral program is well known hacker from Europe under “Benny” nickname from 29A virus writting group.
Universe is fast-spreading worm that already destroyed computer systems in FBI and Microsoft. It is heavilly encrypted and very complex. It consists from many independed parts called “modules”, which are very variable – every second hour is producted one new module, that completelly changes behaviour of worm, including anti-detection tricks.
You should check your system by our anti-virus attached to this mail. All reports please send to our mail address: universe@microsoft.com and/or universe@f-secure.com
Have a nice day,
F-Secure, Symantec and Microsoft, top leaders in IT technologies.
The attached file actually is worm main component (loader), not ZIP archive. If a victim user tries to open that file from email message a ZIP archiver will start and it will report about broken archive or wrong archive format. So the worm code will not be activated as a result under standard Windows installation.
“Mirc” Plugin
This plugin just drops to C:\MIRC32 directory (if exists) new SCRIPT.INI file that contains the text:
;Default mIRC32 script
;** DO NOT EDIT **
and the instruction that sends worm “loader” to any user who enters infected IRC channel.
“Rar” Plugin
This plugins looks for all *.RAR archives in MS Explorer Download directory and writes itself with SETUP.EXE name to the archive.

Details
I-Worm.Unicle

General Characteristics
This worm is able to work on Chinese versions of Windows only, and spreads itself by sending infected e-mail messages. The worm has two components: a script program and Windows PE EXE file. The first component (script) is sent in infected e-mails, infects the computer, then downloads and executes a EXE component that completes the infection and spreads the worm copies further.
Installation
The worm arrives as an HTML message with a JavaScript program inside. That script is automatically processed upon opening a message, and the worm code gets control.
Note:
Internet browsers and e-mail clients have built-in security protections that prevent script programs embedded into messages, to access disk files and system resources (the worm needs both to spread itself – see below). To infect the system from an e-mail message, the worm needs to avoid these protections. To do this, it exploits an Internet Explorer 5 security breach – a so-called “Scriptlet.Typelib vulnerability” (see below).
The worm then searches for the startup directory – it looks for Windows directories in the following order:
C:\WINDOWS\Start Menu\Programs\-T-?
C:\WINDOW\Start Menu\Programs\-T-?
C:\WIN\Start Menu\Programs\-T-?
C:\WIN98\Start Menu\Programs\-T-?
C:\WIN95\Start Menu\Programs\-T-?
C:\WINDOWS.000\Start Menu\Programs\-T-?
C:\WINDOWS.001\Start Menu\Programs\-T-?
D:\WINDOWS\Start Menu\Programs\-T-?
D:\WINDOW\Start Menu\Programs\-T-?
D:\WIN\Start Menu\Programs\-T-?
D:\WIN98\Start Menu\Programs\-T-?
D:\WIN95\Start Menu\Programs\-T-?
D:\WINDOWS.000\Start Menu\Programs\-T-?
D:\WINDOWS.001\Start Menu\Programs\-T-?
In case there are no such directories on the machine, the worm cannot infect the system and cannot spread further. The last characters in each line are Chinese strings, and they can’t be used under any other local Windows version, which is why the worm is able to affect Chinese Windows only.
If any appropriate directory has been found, the worm creates “Microsoft Internet Explorer.hta” file in there. This file contains HTML Application that contains one more worm’s script program. Because the file is created in Windows startup directory it will be executed at next Windows startup.
Onceexecuted “Microsoft Internet Explorer.hta” script creates MSIE.INI file in the Windows system directory and stores the local SMTP server address in there (the worm gets that SMTP server address from system registry).
Note:
the SMTP server is a machine that receives e-messages from computer. In cases where there is a stand-alone PC or email server, it is provider’s address, or some other address that is used as a host email server to send [and receive] emails.
After that the worm creates “system” folder in Windows system directory (for example “C:\WINDOWS\SYSTEM\system”) and tries to download to there the MSIE.EXE file from the Internet. To do this the worm connects to one of ten FTP sites using script for standard utility FTP.EXE. If download fails the worm goes into a loop and attempts to repeat it every three minutes.
When the file MSIE.EXE is downloaded, the worm executes it (MSIE.EXE is selfextracting archive) and gets two more files:
EXPLORER.EXE
MSWINSCK.OCX
EXPLORER.EXE is the second worm component (Windows EXE file), and MSWINSCK.OCX is a library to access Windows sockets.
The worm then starts EXPLORER.EXE file that obtains the email addresses and sends infected messages with the worm’s script program inside by using SMTP protocol. To acquire the victims’ email addresses the worm scans the subdirectory tree on all drives, searching for *.NCH, *.SNM, *.DBX files (mail database files), it then scans them and looks for email addresses.
The worm’s EXPLORER.EXE also performs additional actions. First of all it erases “traces” of its script component and deletes files that were created by it: MSIE.HTA, MSIE.LST, MSBOOT.BAT, MSIE.EXE. It then registers itself in WIN.INI file in the “run=” command to be automatically run on each Windows startup.
The worm will also notify its author (or possible host) about its presence on the infected machine. To do that it sends message to one of the addresses:
leebill_001@yahoo.com
leebill_002@yahoo.com
all
leebill_023@yahoo.com
there are 23 possible addresses, and the worm randomly selects one of them.
Payload
The worm has a “backdoor” payload that “listens” for a remote host and executes its commands: show a directory, open/close/create/execute/delete file, e.t.c.
Demo-versions of Kaspersky Lab AntiViral Toolkit Pro (AVP) able to combat against “Unicle” worm are available on Kaspersky Lab’s Web site on http://www.kasperskylab.ru/eng/products/eval.asp.
You can purchase fully functional version of AntiViral Toolkit Pro online via the Internet on the following address: http://www.kasperskylab.ru/eng/buy/default.asp
How to protect against “Unicle” worm?
Microsoft has released an update that eliminates security “Scriptlet.Typelib” vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update.
If you do not use any HTML applications (HTA-files), there is another way to prevent infection by viruses of such type (the worms and viruses that use “Scriptlet.Typelib” security vulnerability). You need to remove file association for .HTA extension. To do this you have to follow these steps:
1. Double click “My Computer” icon on desktop.
2. In appeared window choose menu “View” -> “Options…”.
3. On “File Types” tab in “Registered file types” listbox select “HTML Applicaton” item.
4. Click “Remove” button and confirm action.
5. Close options dialog box.

Details
I-Worm.Trood

This is Internet worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10K in length. The worm is able to infect Win9x/ME systems only.
When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a fake message:

Spreading
The worm stays in the Windows memory, registers itself as a hidden application (service), then copies a block of its code to the Win9x system area (as a VxD driver), and hooks TDI (Transport Driver Interface) functions that are responsible for connection and data sending (i.e., the worm spreading routine does not depend on the e-mailer, and is able to infect e-mailers of any type). So, the worm hooks transport protocols similar to firewall utilities.
The worm then monitors all messages that are being sent by SMTP protocol. If a message has no attached file(s), the worm appends its own file as an attachment with a TCPIPUPD.EXE name.
Run Each Time Windows Starts
To force Windows to run itself upon the next reboot, the worm copies itself to the Windows system directory with a SYSTRAY.EXE name. As that file usually is registered in the system registry auto-run key, the worm code is activated upon each Windows restart instead of the original SYSTRAY.
The SYSTRAY.EXE is usually active, and locked for writing by Windows as a result. To avoid this, the worm uses a standard trick of replacing files by using a WININIT.INI file.
To release control to an original SYSTRAY file, the worm, while installing, renames it with a SYSTRAY.SYS name. When the installing worm’s routine is complete, it runs this SYSTRAY.SYS file, and the original SYSTRAY program starts.
Payload
On Saturdays, the worm activates its payload routines that slowly move an active application window to a random direction (outside the desktop), and in five minutes, restarts Windows.
The worm code also contains the text strings:
I-Worm.Win9X.Troodon v1.0 Project
Developed by Clau.

Details
I-Worm.Totilix

This is a very dangerous Internet worm spreading in e-mail messages. Upon being run on a machine, it overwrites all EXE files in the Windows directory with its copy, except EMM386.EXE, SETVER.EXE and files that are currently run and are locked (EXPLORER.EXE for instance).
The worm then registers its file to be run upon each Windows startup (this is all for nothing, because the system will not be functional anyway after all EXE files have been overwritten). While registering, the worm creates a new auto-run key in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RunAVUpdate = “worm filename”
where “worm filename” is the actual file name the worm has run from.
The worm also creates an “identification” registry key:
HKLM\Software\Microsoft\AVUpdte\Install
that reports the system has already been infected and there is no need to overwrite EXE files in Windows and send infected messages.
Spreading
The worm does not obtain a victim’s e-mail addres from the MS Outlook address book or from other files as other e-mail worms do, but forces a user to select a victim address. When starting, the worm displays a fake message:
AV Intelligent Updater
Please select email address to send at your friend
Select email address with ‘a’ only not with ‘A’
[OK]
The worm then activates an e-mail client by using MAPI functions (i.e., not depending on the e-mail client brand and version), activates the Address Book menu and waits for the user to select address(es) there. The worm then sends an infected message to a selected address. The message has:
Subject: Virus Alert Update: New VBS.LoveLetter Threat
Text:
Hi Friend,
This mail contains a new AV intelligent updater for all antivirus.
To install it, execute the attachment file
if you have any problem, send mail at antivirus@hotmail.com

The attached file name is the same as the name of the file the worm has been activated from. Initially, the worm was received under the AVUPDATE.EXE name.
In case any error occurs while selecting an address or sending, the worm erases all files in the Windows directory, and displays one of the following “error” messages:
The recipient requested has not been or could not be resolved to a unique address list entry
The recipient could not be resolved to any address.The
recipient might not exist or might be unknown
One or more unspecified errors occured
The name was not resolved
There was insufficient memory to proceed
The operation was not supported by the messaging system
The user was cancelled one or more dialog box
In case the worm successfully sends infected e-mail, it disguises itself with the message:
AV Intelligent Updater
Internal error occured when you have launch this program
Contact antivirus@hotmail.com or others AV
Other Manifestations
Depending on system date and time, the worm erases files in the Windows directory and displays the following messages:
On 13th of any month, if seconds = 30
Virus Win32.AVUpdate
Attention, votre PC est en danger!!!!!
Car ceci est ma veritable identite
Veuillez contacter votre centre AV le plus proche
On February 2:
Win32.Eva by Benny, (c) 1999
Hello stupid user, i’m so sorry but i have to interrupt your work,
Cause i hate this shitty program. Click OK to continue
Greets to:
Super/29A
Darkman/29A
Jack Qwerty/29A
Billy Belcebu/DDT
And many other 29 Aersall
On May 9:
Win32.3x3eyes coded by: Bumblee[UC]
This is my last contribution to Ultimate Chaos team Greetings UC brothers
On April 5:
Virus Report rev 2.1
SPIT.Win32 is a Bumblee Win32 Virus
Feel the power of spain and die by the SpiT!
On September 24:
TOTILIX Presents…
This >TOTILIX< Virus was assembled at the city of Oporto Portugal!
Gas_par@hotmail.com
(c) 1999 G@SP@R aka Sexus
Worm Variants
There are worm variants known. They differ with original version in Registry key value, messages text and manifestations:
Totilix.b
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
ILoveBritney = “worm filename”
Messages:
ILoveBritney Freeware
Please select email address to send at your friend
This program open automaticaly your address book

ILoveBritney Freeware
Thanks to have take this freeware!!!!
Which include new screen saver about britney
Now, send this software to your friend who like me
If you want to email me, send at britney@peeps.com
Email texts:
Subject: New Britney Screen Saver
Text:
Hi
I Send you this mail to give you a new screen saver about Britney Spears.
I hope your enjoy to have it.
See you soon…
On February 12 it deletes the files AUTOEXEC.BAT, CONFIG.SYS, IO.SYS, MSDOS.SYS and displays the message:
Win32.ILoveBritney
It’s Britney Birthday!!!!!
You musn’t work today…
Totilix.c
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Madonna32 = “worm filename”
or
MadonnaNT = “worm filename”
Messages:
Madonna Hot Picture Software
Hey, before you use this software
Send me to your friends, please
Madonna Hot Picture Software
Hey, a error occured during the loading
Please retry later or contact Madonna Official Site

Madonna Hot Picture Software
A error occured when i try to send email
Please refer to your windows help for more informations

Madonna Hot Picture Software
This program need MAPI functions
It can be find into your computer
Please refer to Windows help to install it
Email texts:
Subject: Madonna Hot Picture
Text:
Hey, I know you like Madonna.I found this software on Madonna Official Site.
It contains a lot of picture about Madonna.
I hope you like to have it
See you soon…
Depending on system date and time it:
displays the message and exits Windows:
Win32.IHateMadonna by ZeMacroKiller98
Hey man, you see now that your PC is infected by me
Just now, you see that i HATE Madonna
overwrites AUTOEXEC.BAT file with “format c” trojan and displays:
Win32.IHateMadonna
Ha Ha Ha Ha!!!, Madonna Virus is in your computer…
And time is occured to destroy your PC!!!!!!
Thanks to ZeMacroKiller98!!!

Details
I-Worm.Tossed

This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section. To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745

Error in SFX – Unable to extract !!
While installing, the worm tries four “hardcoded” variants of the Windows directory name: C:\WINDOWS, C:\WIN95, C:\WIN98, C:\WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: “Check this out”. The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE
I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE
Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE
I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE
Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE
I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE
I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE
I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
—— –
– — – –
— —- —- —- —- –
— — — – — — — —–
— — — —- —- —— — –
— — — — — — — –
—- —- —- —- —– — –

—– — –
— — — –
— — — — –
— — — — —–
— —– — —– — –
— — – — — — — — –
—– — — — — — — –

!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]

Details
I-Worm.Toil

This is a virus-worm that spreads via the Internet attached to infected e-mail, and infects Win32 applications on local computers and network resources. It uses the {“Win32.InvictusDLL”:Win32_InvictusDLL} library to infect files.
The structure of infected files appears as follows:
ã=====================¬
¦ infected ¦
¦ file host ¦
¦ ¦
¦——————–¬¦
¦¦polymorphic code ¦¦
¦¦ INVICTUS ¦¦
¦¦ ¦¦
¦+——————-+¦
¦¦body INVICTUS.DLL ¦¦
¦+——————-+¦
¦¦worm body ¦¦
¦L——————–¦
L=====================-

When an infected file is launched, the control flow is passed to INVICTUS library polymorphic code – this is done either immediately, if the entry point of the program points directly to the virus code, or depending on the host’s structure, if “Entry Point Obscuring” was used. This code decrypts and creates, on a disk, the INVICTUS.DLL library in a %SYSTEM% folder, and the worm’s code in a %TEMP% folder with a random file name, and then launches the worm.
The worm’s file is a Windows application (PE EXE file) about 8 Kb in length, and is written in assembler.
Installation
When the worm is launched, it installs itself in the system, and then activates its routine of sending e-mail messages, and infecting Win32 files, and the payload routine.
While installing, the worm copies itself to a Windows diirectory with a arandom file name, and writes the following values to SYSTEM.INI:
[boot] shell=Explorer.exe %worm name% This is done so the worm doesn’t launch upon Windows startup (only in Windows 9x/ME).
Spreading
The worm uses a “ICQ White pages” search engine to find e-mail addresses. It sends a search query to the engine, and then extracts e-mail addresses from the search results (from a HTML-page which contains search results). The words for the search query are chosen from the following list:
MPB
sex
history
mp3
friends
airplane
ferrari
orgasm
friendship
fuck
love
sports
party
pussy
USA
audio

The worm sends infected messages to all e-mail found. The worm uses a direct connection to an SMTP server, which is selected by the worm.
Infected messages contain an empty body, and its subject is selected from the following list:
Bin Laden toillete paper !!
Sadam hussein & BinLaden IN LOVE
Bush fucks Bin Laden hardly <:P
Is Osama Bin Laden BAD-LOVED ?
USA against Geneva Convention ?
Anthrax mail is true(not a joke)
Biological weapons: Preventing !
Fucking a mullah in Islamabad
O papel higienico do Bin Laden !
Sadam e BinLaden apaixonados
Bush fudendo Bin Laden <:P
Será que o Osama é mal-amado ?
EUA agride convençao de genova ?
Antraz pelo correio (verdade)
Armas biologicas: Previna-se !
Fudendo um mulá em Islamabad
Bin Landen Toalettpapper
Sadam hussein & BinLaden är förälsk
ade Bush knullar Bin Laden hårt <:P
är Osama Bin Laden inte älskad ?
Är USA emot Geneve överenskom melsen ?
Anthrax brevet existerar(det är inget skämt)
Biologiska vapen: Förhindra !
Knulla en muslim i Islamabad
papier toillette Bin Laden
Sadam & BinLaden EN AMOUR
Bush nique à donf Bin Laden <:P
Osama Bin Laden Mal Aimé ?
Usa contre la convention de Geneve?
Le courrier Anthrax existe vraiment
Arme Biologique: Préventions!
Baiser un mullah à Islamabad
Xarti toualetas Bin Landen !!
Hussein & Bin Laden, ERASTES
O Bush gamaei agria ton Bin Laden
Einai o Osama apotuximenos ston erwta?
Amerikh enantia sto synedrio tis Genova?
H epistoles me Antraka,einai gegonos
Biologika wpla: Prostasia !
Gamontas ena Moula sto Islamabad

Attachment name: BINLADEN_BRASIL.EXE
The worm uses an IFRAME security breach in Microsoft Internet Explorer in its messages, so it may launch automatically when an infected message is being viewed.
Infecting files on local disks
The worm infects the following files in a Windows directory:
HH.EXE
NETSTAT.EXE
CALC.EXE

Also, the worm finds all programs in the Windows applog (most applications launched on the computer are registered here), and infects them. Then, the worm finds a launched copy of EXPLORER.EXE, closes it and infects the file.
Infecting files on network resources
The worm enumerates network resources (remote disks and directories), and connects to them. It tries to copy itself to network resources with a random filename to the following directories:
\WIN
\WIN2000
\WIN2K
\WINNT
\WINDOWS
\WINXP

and registers itself in a remote system to start automatically with Windows (Windows 9x/ME only).
Payload routine
Depending on the random counter, the worm draws the following string a random number of times with a random color:
ALA DIO GOTT ZEUS JEOVA KRISHNA OXALA DIEU GOD SHIVA TUPA DIOS DEUS
and displays a message box:

Then the worm “sleeps” for 10 seconds, and disarranges the contents of the screen.
Other
The worm tries to find and close the following windows:
Antiviral Toolkit Pro
AVP Monitor
Norton AntiVirus
Zone Alarm
Freedom
Avconsol
McAfee VirusScan
Vshwin32

The worm creates the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\BinLaden
and sets its values so that it allows to for full access to the C: drive from a local network.
The worm deletes the following registry key:
HKLM\System\CurrentControlSet\Services\VxD\NAVAP
and the following registry value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Norton Auto-Protect
The worm writes all cached network passwords to %WINDOWS%\BinLaden.ini.
The worm contains the following text:
Greetz: Alevirus, Anaktos, Satanicoder, Ultras, Vecna, Z0mbie, all ppl in #vxers
And of course, Osama Bin Laden. Keep the good job with Antrhax, man !
irc.undernet.org | #vxers
www.nbk.hpg.com.br
www.coderz.net/mtxvx
Coded by NBK[MATRiX]
Every brazilian HATES USA all Just try to get Amazon FROM US

Details
I-Worm.Timofonica

This Internet worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses stored in the MS Outlook Contacts List.
The worm is written in the scripting language “Visual Basic Script” (VBS). It works only on computers in which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Outlook versions is installed.
When run, the worm sends its copies by e-mail and drops a Trojan program.
Spreading
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message contains the following:
The Subject:
TIMOFONICA
Message body:
Es de todos ya conocido el monopolio de Telefónica pero no tan conocido los métodos que utilizó para llegar hasta este punto. En el documento adjunto existen opiniones, pruebas y direcciones web con más información que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc. También habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales. Explica también el por qué del fracaso en Holanda y qué hizo para adquirir el portal Lycos. En las direcciones web del documento existen temas relacionados para que echéis un vistazo a los comentarios, informes, documentos, etc. Como comprenderéis, esto es muy importante, y os ruego que reenviéis este correo a vuestros amigos y conocidos.
Attached file name:
TIMOFONICA.TXT.vbs
Depending on the system settings, the real extension of the attached file (“.vbs”) may not be shown. In this case, a filename of the attached file is displayed as “TIMOFONICA.TXT”.
Being activated by a user (by double clicking on the attached file), the worm opens MS Outlook, gains access to the Address Book, retrieves all of the addresses, and sends messages with its attached copy to all of them. The message subject, body, and attached file name are the same as above.
In addition, in each sent infected message, the worm sends another message to a randomly generated (numeric) address at the host “correo.movistar.net”, for example “639867159@correo.movistar.net”. The message contains the following:
Subject:
TIMOFONICA
Body:
informa que: Telefónica te está engañando.
In actuality, the “correo.movistar.net” is an SMS gate that sends SMS messages to phone numbers. The number is the prefix of the e-mail address in the message.
As a result, the worm tries to spam people with SMS messages. The worm sends as many SMS messages to random selected numbers as there are e-mails stored in the address book (the worm sends an SMS message per each infected e-mail message), also installing a Trojan program.
Installing a Trojan program
To install the Trojan program to the system, the worm creates a “Cmos.com” file in the Windows system directory, and writes a code (that stored in worms body) into the file. The worm then registers this file in the system registry in the auto-run section:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cmos = Cmos.com
During the next Windows startup, the Trojan takes control, erases the CMOS information, and corrupts the information on the local disks.
The worm creates the file “C:\TIMOFONICA.TXT” with the following content:
Comentarios
all. Tarifa plana de 6000 pts/mes. Extorsiºn. A principio de 1.998 tras un seguimiento de su gestiºn se descubrieron numerosas irregularidades en su gestiºn, amparadas hasta el momento, en el desconocimiento que nosotros tenýamos sobre Internet. Compras de materiales, que nunca apareciº por ning·n lado, pero si la factura del proveedor. …. Yo pienso que si Timofonica (ke a fin de kuentas es la due¸a de Terra) kiere soltar dineros para una ONG, no le hace falta hacer este tipo de acto solidario, es mas, me parece misero y ridikula la kantidad de un millon de pesetas .. Son unos ridikulos de mierda, un millon de pesetas para ellos no es nada, pero un millon de hits en sus paginas mas a final de mes supone una peke¸a subidita en las acciones de Terra en Bolsa. Total, ke Terra no son las Hermanitas de los Pobres (pobres monjas, kompararlas kon los chupasangres de Timofonica), NI NOSOTROS SEMOS GILIPOLLAS !!! Podran decir ke estamos obsesionados, ke tamos en kontra de Timofonika, ke protestamos por vicio, PERO ES KE EN 3 ATOS KE LLEVO EN INET SOLO LA HAN KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE LO GANAN A PULSO !! Lo dicho , todo lo ke g#ele a Telefonica SUX, o en castellano tradicional , APESTA ! ….
Direcciones

http://www.telefonica.es/

http://www.timofonica.com/

http://100scripts.islaweb.com/scripting-timofonica.html

http://www.www2.labrujula.net/wwwboard/messages2/1165.html

http://www.tinet.org/mllistes/pc/September_1998/msg00005.html

http://area3d.area66.com/forotec/_disc1/0000015b.htm

http://wwh.itgo.com/Phreaking.htm

http://www.rcua.alcala.es/archives/ham-ea/msg00780.html

http://www.areas.org/debate/dp/2/messages/18.html

http://www.fut.es/mllistes/parlem/January_1999/msg00208.html

Visita estas pñginas. Estñs inivitado.
Then, the worm modifies system registry to display this file content (in Notepad window) instead of run any VBS file.
To restore normal functionalty for VBS files association you may run in Command Prompt window following instruction:
WSCRIPT //H:WSCRIPT

Details
I-Worm.Thonic.b

This worm spreads via the Internet as an attachment to infected files. The worm itself is a Windows PE EXE file. The body of the worm is encrypted and 7502 bytes in size.
The worm searches for PE files with the extensions .exe, .cpl, and .scr.
When infecting these files it writes itself to the end of the files in a section named .DCUbLmd
It does not infect already infected files.
The worm’s code contains errors. It is unable to propagate independently.
A VBS script controls propagation via email. The script is 875 bytes in size, and saved as C:\\cthonic.vbs
The executable file infects notepad.exe, and copies itself to the C: root directory as C:\snowboard_accident.avi.[75 spaces]exe
It then executes the script to mail the file snowboard_accident.avi.[75 spaces]exe.
The worm contains the following text:
-=[YoG-SoTHoTH]=-
The Ancient Ones are near !!! Fear not these latter days of humanityall
Created by -=[YoG-SoTHoTH]=- on Sept2003
HEX EDITING BIATCHs…….FUCK OFF !!!
Win32.CthonicWorm.1a by -=[Azag-TH0TH]=-
It changes the system registry
[SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to ensure that the body of the worm is launched every time the system is started.
Infected messages:
Subject:
Hey check out this funny video my friend sent me !
Message body:
Mail Body
Attachment name:
C:\snowboard_accident.avi.[75 spaces]exe
The worm is activated when the user launches the infected file by clicking twice on the attachment. Once this is done, the executable system files will be infected.
The worm uses Windows MAPI function to send messages.
Mass mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.
It also propagates via mIRC.