Details
Worm.Win32.Kibuv.b

This worm spreads via the Internet and exploits a vulnerability in Windows. It also uses FTP and IRC channels to spread.
The worm itself is a Windows PE EXE file of approximately 28KB in size, packed using UPX.
It is based on the source code of Backdoor.SdBot.
Propagation
The worm scans networks and chooses random IP-addresses. It then checks with these addresses for RPC, LSASS and IIS 5.0 vulnerabilities. It also checks port 5554 for ftp components of Worm.Win32.Sasser, and for backdoor components left by I-Worm.Bagle.
When it finds a machine with any one of the above characteristics, the worm uses the appropriate exploit to infect the system. It then launches an ftp server on port 7955.
It also installs a backdoor on port 420 to receive remote commands. The worm enters the IRC server and waits for a command to attack. It also sends a link to itself to all new entrants to the IRC channel.

Details
Worm.Win32.Grexon

Grexon is local area network (LAN) worm. In copies itself to logical drives (local and network), as well as encodes network resources where it copies itself. The worm file size is about 7KB.
When the worm is run it copies itself to the Windows temporary directory under the name “grex.exe” and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Grex = %TempDir%\grex.exe

While infecting drives (logical and network) the worm copies itself to them under the following names:
NOPE.EXE : to Windows Startup directory (if exists)
REGEDIT.EXE : to Windows directory (if exists)

While infecting network drives the worm affects their following resources:
\C$
\D$
\IPC$

In case the victim resource is not open for full access the worm tries to connect to it with a password:
user name
the strings “123″, “111″, “12345″, “00″
cached Windows passwords
strgins found in registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan

Payload
When this worm is run from the REGEDIT.EXE file it displays the message:
LOADER ERROR
File corrupted !

Depending on a random counter the worm either:
exits Windows
displays the message:
ERROR
Kernel data corrupted !

Details
Worm.Win32.Fleming
Fleming is a malicious program that steals CD-Key information from the “Counter-Strike” and “Half-Life” games. It invites users to download this trojan program using Windows (.NET) Messenger. It also tries to download and install other malicious software from the Internet.
General Information
The worm program is a 32-bit Windows application (EXE file) written in Visual Basic, its size is 53248 bytes.
Fleming doesn’t install itself into the victim system, it runs only when it is executed by the victim (for example, by double-clicking its icon in Windows Explorer).
Payload
The worm program tries to download and execute two files located on the Internet at

http://home.no.net/downl0ad/

The files are downloaded and saved to the following locations:
C:\update35784.exe
C:\hehe2397824.exe
Next, the worm connects to Windows (.NET) Messenger and waits for incoming messages. If it receives proper messages from
styggefolk@hotmail.com
, it sends a response containing “Half-Life” and “Counter-Strike” CD-Key information.
Fleming searches for all Windows (.NET) Messenger contacts, and sends each entry the following message:
Worm.Win32.Fleming’s Windows Messenger Message:

Details
Worm.Win32.Fasong.a
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%rndname%.EXE = %rndname%.EXE

for example:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GMLKU.EXE = C:\UTIL\GMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCR\chm.file\shell\open\command (default value = “hh.exe” %1)
HKCR\exefile\shell\open\command (default value = “%1 %*”)
HKCR\inifile\shell\open\command (default value = “notepad.exe %1″)
HKCR\regfile\shell\open\command (default value = “regedit.exe %1″)
HKCR\scrfile\shell\open\command (default value = “%1 /S”)
HKCR\txtfile\shell\open\command (default value = “notepad.exe %1″)

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLM\Software\Microsoft\Windows\CurrentVersion\win70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share

Details
Worm.Win32.Eyeveg.g
This worm spreads via the Internet as an attachment to infected emails. It also spreads via open network resources. It sends itself to email addresses harvested from the infected computer. It is written in Visual C++ and packed using UPX. The program has two files: an executable (EXE) file and aall

Details
Worm.Win32.Eyeveg.f
This worm is written in Visual C++ and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file. The EXE file is packed using UPX, and it is 80384 bytes in size. The DLL file is 77824 bytes in size. Installation The worm copies itselfall

Details
Worm.Win32.Eyeveg.b
This worm is written in Visual C++ and packed using UPX. The file is 41480 bytes in size. Installation The worm copies itself to the system directory under a random name which consists of six characters. It then registers this file in the system registry:all

Details
Worm.Win32.Doomjuice.b
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.
Installation
On launching, the worm copies itself to the Windows system directory under the name regedit.exe and registers this file in the system registry auto-run key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroCheck = %system%\regedit.exe
The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm checks the system date, and if the current date is between the 8th and the 12th of the month, the DoS attack function will not be launched. The worm will not launch any DoS attack in January. However, in all other months and on all other dates the worm will launch a DoS attack on the www.microsoft.com site. To carry out the DoS attack, the worm sends multiple GET commands with the following parameters:
GET / HTTP/1.1
Accept: */*

Accept-Language: en-us or Accept-Language: en

Accept-Encoding: gzip, deflate or blank

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) or
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) or
User-Agent: Mozilla/4.0

Host: www.microsoft.com:80

Details
Worm.Win32.Doomjuice.a
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate. It is approximately 35KB in size, compressed using UPX. The size of the decompressed file is approximately 43 KB.
Installation
On launching, the worm copies itself to the Windows system directory under the name intrenat.exe and registers this file in the system registry auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gremlin” = “%system%\intrenat.exe”
The worm extracts a file named sync-src-1.00.tbz from itself, and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings.
This file is a tar archive which contains the full source text of I-Worm.Mydoom.a
The worm creates the unique identifier sync-Z-mtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
In order to choose IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm determines the system date, and if the date is between the 1st and the 11th of the month, the worm carries out a modified DoS attack on the site www.microsoft.com. One GET command will be sent to port 80, and then repeated at random intervals. If the date is the 12th of the month or later, the commands will be sent without a break.

Details
Worm.Win32.Datom

This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL

The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (“All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.

Details
Worm.Win32.Datom

This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL

The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (“All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.

Details
Worm.Win32.Dabber.a

This worm spreads via the Internet using a vulnerability in the FTP component of Worm.Win32.Sasser.
The worm itself is a Windows PE EXE file, 29696 bytes in size, packed using UPX.
Installation
When installing, the worm copies itself to the Windows system directory under the name package.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Startup %windir%\All Users\Main menu\Programs\StartUp
The worm registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“sassfix”=”%System%\package.exe”
The worm searches the system registry for keys installed by Sasser and deletes them.
avserve2.exe
avvserrve32
avserve
skynetave.exe
and deletes them. It also searches for and deletes keys installed by other worms:
Video
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
Taskmon
Gremlin
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
Generic Host Service
Windows Drive Compatibility
windows
The worm scans networks for random IP addresses, searching for victim machines which have the ftp component of Sasser installed on port 5554.
When the worm finds a suitable victim machine, it sends a vulnerability exploit to it to infect the system. It then launches the command shell on port 8967. It also installs a backdoor on port 9898 to receive external commands.

Details
Worm.Win32.Cycle.a

Cycle is an Internet worm that exploits the LSASS vulnerability in MS Windows described in MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004 – available at the above link.
Cycle affects computers running Windows 2000, Windows XP and windows Server 2003
The worm is written in C++ and is about 10 KB (packed by UPX).
Propagation
Upon launching Cycle copies itself into the Windows system folder under the name ‘svchost.exe’ and registers itself in the following autorun keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Generic Host Service” = “%windir%\system\svchost.exe”
The worm also create the file cyclone.txt in the Windows folder. This file contains the following letter to the global community from the authour of the worm:
—-
Hi,
My name is Cyclone and I live in Iran,
and I want to speak with you about problems that we have in iran:
A.In Iran we don’t have any kind of freedom, because we have islamic republic in iran:
1.we can’t speak freely about regime, we can’t speak even a little bit against them!!!
2.I have to be a moslem otherwise they don’t care about me!
3.we CAN’T even wear the clothes and styles that we wants!
4.women MUST wear a cloth that no one can even see their hair!!!
5.they do not allow our national celebrations to be held, they beat us!!
6.Many moreall
B.The human rights is not implemented in Iran and there is no justice,
1.Lynch is very common in Iran. If you are against the regime then you may silently killed, or if there is a tribunal, you can’t say anything, everyone works against you there.
2.1985-1990, the Islamic Republic of IRAN has been killed more than 10,000 Iranian youngs. that has been comfirmed by the documentations! This people killed without any tribunal or any proof.
3.there is a punishment that is used so much during this years, in this punishment, the person who must be killed stand in a hole then others attack him with stones, this will continue until he/she dead. there is some pictures and videos that shows this terrible torture!
4.Many more…
C.Misery and poverty grows in Iran, because the islamic republic leaders steal the money, they stolen the money that provided by selling oil, and then the people must die because they don’t have enough money to even buy a bread!!!
D.Misery and poverty cause vice to grow, you see many young people in Iran using drugs and I think this is also a trick by the government to not allow us to arise against them!
E.Islamic republic gave Iran a bad name. before islamic republic we can travel anywhere in the world without any problem but now we have so much problems if we want to travel a foreign country, anyone think that we are terrorist. THE PEOPLE OF IRAN ARE NOT TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.
The people of Iran trying to arise, but failed to do. About one year ago, Iranian people try to say to the world that we don’t need Islamic republic but the government and police beat the people who try to tell the truth and they killed some people.
You see that they don’t even care about their own people, think what happen if they gain access to an ATOMIC BOMB!!! it’s very dangerous for the world.
With all of this conditions and injustices, european governments still support islamic republic, they say that they just care about their own country!
and I want to show them our WRATH!
All of the european people are my friends and I never want to harm them, just government and the Politicians!
If you protest against iraq war and say why there must be a war against iraq, and if you do this for humanity, please do anything that you can do for helping iranian people.
at least make your country not to support islamic republic anymore, I’m deadly sure that if european countries do not support islamic republic. it will be destroyed after 3-6 months!
so please help!
I don’t want to damage, I just want my country to grow, to improve!!! I have no other way to tell this words to world, sorry!!
—
The worm is built to fight against Internet worms Sasser and Lovesan. It creates unique identifiers in the RAM that match identifiers created by Sasser, thus preventing Sasser infections.
Jobaka3
Jobaka3l
JumpallsNlsTillt
SkynetSasserVersionWithPingFast
Cycle attempts to detect and stop the processes with names from the following list:
avserve.exe
avserve2.exe
msblast.exe
skynetave.exe
Cycle deploys an FTP server on TCP port 69, launches 4 IP address scans searching for potential victim machines and sends requests to TCP port 445. If a remote machine allows a connection Cycle sends the LSASS expoit which installs a cmd.exe command shell on the victim machine.
The worm then forwards commands to load and launch itself to the infected machine. The file containing the worm after being forwarded is named cyclone.exe..
Other
After infection, victim machines launch a notice about a LSASS service failiure and may attempt to reboot.
In addition, Cycle attempts to initiate DoS attack on irn.com and www.bbcnews.com everyday in May except Sundays.

Details
Worm.Win32.Busan
The Busan worm spreads through networks by copying itself to all accessible network resources. The worm is a Windows application (PE EXE-file) that is compressed with UPX and has a size 14KB. Its code is written in the C ++ programming language.
When run the worm sends out a message via ICQ to UIN the author, and then proceeds to copy itself to the Windows directory under the name files32.sys. The Busan worm also copies to the Windows directory a file named mh32.dll which is a keyboard ‘interceptor’. Then the worm tries to copy itself under the name auto.exe to the following directories:
C:\WINDOWS\All Users\Start Menu\Program Files\StartUp C:\WINDOWS\All Users\?’ ?-R? ?-Ï\?ÁR?Á Ì\??×R ?ÁÇ?
Because of a mistake in its code it fails to successfully copy itself to the above directories. Busan then probes IP-addresses and copies itself to all accessible network resources.
Next the worm registers itself in the system registry key:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”files32.sys \”%1\” %*”

This entry causes the worm to be run anew each time any EXE-file is opened.
While running the worm collects all accessible names and passwords to the mail boxes registered in the system and stores them in the C:\WINDOWS\lmhost.log file. After this is done Busan tries to send this file to the malefactor (worm’s master). The same file contains a complete record of keyboard strokes recorded by the keyboard interceptor represented by the file mh32.dll.
The Busan worm tries to download a file named worm31.bmp from an Internet web-site but cannot as the page has since been removed.

Details
Worm.Win32.Bizex
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.
Propagation
On connecting to the site

http://www.jokeworld.xxx/xxx.html

(x here is used to replace certain characters) the CHM-exploit-a is used. The result of this is that a specially constructed CHM file is automatically executed on the victim computer. This file contains another file named ‘iefucker.html’; this file contains TrojanDropper, a type of Trojan written in script language. This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
In Windows 2000 and Windows XP:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
and in Windows 98:
c:\windows\Start Menu\Programs\Startup\WinUpdate.exe
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site, and writes it to the temporary directory under the name aptgetupd.exe.
Main component
Aptgetupd.exe is a PE.EXE file, of approximately 84KB (86528 bytes) in size, packed using PECompact.
Once executed, the worm copies itself under the name sysmon.exe to the SYSMON sub-directory in the Windows system directory, and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“sysmon” = %system%\sysmon\sysmon.exe
The worm has a theft function which enables it to steal information relating to a range of financial services:
Acceso a Banca por Internet
Accueil Bred.fr > Espace Bred.fr
American Express UK – Personal Finance
Banamex.com
baNK
Banque
Banque en ligne
Barclaycard Merchant Services
Collegamento a Scrigno
Commercial Electronic Office Sign On
Credit Lyonnais interacti
CyberMUT
E*TRADE Log On
e-gold Account Access
Home Page Banca Intesa
LloydsTSB online – Welcome
Merchant Administration
Page d’accueil
Secure User Area
SUNCORP METWAY
Tous les produits et services
VeriSign Partner Manager
VeriSign Personal Trust Service
Wells Fargo – Small Business Home Page
It also steals data transmitted by HTTPS, relating to accounts of a variety of mail services such as Yahoo, etc.
All stolen information is saved in the files ~pass.log, ~key.log and ~post.log and is sent by FTP to a remote server: www.ustrading.info
The worm extracts a number of .dll files from itself and installs them in the Windows system directory:
java32.dll
javaext.dll
icq_socket.dll (library used to send messages via ICQ)
ICQ2003Decrypt.dll (ICQ library)
The worm gains access to the ICQ contact list, disconnects the ICQ client which has been launched, connects to the server under the name of the user of the infected machine, and sends all contacts found a link to its own site.
Other
In addition to the CHM exploit, when the link is opened, an attempt will be made to download and execute a Java archive, which contains a range of TrojanDownloaders (detected as Trojan.Java.ClassLoader and TrojanDownloader.Java.OpenConnection) which also attempt to download the components of the worm to the victim computer.