Details
I-Worm.Loding

This is an Internet worm written using VBS script language, and it is embedded into a Web-page on the Internet.
The worm infects the system when an infected web-page is opened with Internet Explorer 4+ (and if its security settings are not set to “HIGH”).
The script sends a link to itself by email to all recipients listed in Microsoft Outlook Address Book attached to the following message:
Subject: “Computer Secrets !”
Message body:
If you are using Win9x/Me, visit the following page will upgrade your pc
performance. If you are not using Win9x/Me or don’t want to upgrade your
pc, only forward this page to your friends.
Maybe your friends need it.

http://xxxxxxxxx.topcities.com/xxxxxxxxxxxxx

This URL points to the infected HTML page.
This worm uses a special way of replicating, because it sends only a link to itself in the message instead of sending the whole worm.

Details
I-Worm.Klez.e

Installation
The worm copies itself to the Windows system directory with a random name that starts from “Wink”, i.e., “Winkad.exe”.
Infection
The worm searches several registry keys for links to applications:
Software\Microsoft\Windows\CurrentVersion\App Paths
Then the worm tries to infect EXE applications that it finds. When infecting an EXE, the worm creates a file with the same name and random extension and also hidden+system+readonly attributes. This file is used by the worm to run the original infected program. When the infected file is run, the worm extracts the original file to a temp file with the original filename plus ‘MP8′ and runs it.
The worm infects RAR archives by copying itself to archives with a randomly generated name. The name of the infected file is selected from the following list:
setup
install
demo
snoopy
picacu
kitty
play
rock
and has either one or two extensions, where the last one is “.exe”, “.scr”, “.pif” or “.bat”.
Replication: e-mail
The subject of the infected message is either selected from the following list or is generated randomly:
Hi,
Hello,
Re:
Fw:
how are you
let’s be friends
darling
don’t drink too much
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls’ vocal concert
Japanese lass’ sexy pictures
The worm can also generate the subject of the message from the following strings:
Undeliverable mail–%%
Returned mail–%%
a %% %% game
a %% %% tool
a %% %% website
a %% %% patch
%% removal tools
Where %% is selected from the following list:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez
The body of the infected messages is either blank, or has randomly generated contents.
The worm constructs the following variants for Subject and Message body: Subject:
A %1 %2
Body:
This is a %1 %2 %3 or %4
where %1, %2 and %3 are randomly (depending on content) selected from variants:
special WinXP game
new IE 6.0 website
funny W32.Elkern tool
nice W32.Klez patch
humour W32.Klez.E removal tools
excite
good
powful
%3 are lines:
This game is my first work.
You’re the first player.

I wish you would enjoy it.
I hope you would enjoy it.
I expect you would enjoy it.
%4 contains strings such as these:
%5 give you the %1 removal tools
%1 is a dangerous virus that spread through email.
%1 is a very dangerous virus that can infect on Win98/Me/2000/XP.
For more information,please visit http://www.%5.com
where %5 is selected from the variants:
Symantec, Mcafee, F-Secure, Sophos, Trendmicro, Kaspersky
The result may look as follows:
A special new game
This is a new game
This game is my first work.
You’re the first player.
I wish you would enjoy it.

A very funny website
This is a funny website
I hope you would enjoy it.

A very powful tool
Hello,This is a powful tool
I hope you would enjoy it.

A IE 6.0 patch
Hello,This is a IE 6.0 patch
I hope you would enjoy it.

W32.Elkern removal tools
Kaspersky give you the very W32.Elkern removal tools
W32.Elkern is a very dangerous virus that can infect on
Win98/Me/2000/XP.
For more information,please visit http://www.Kaspersky.com

W32.Klez.E removal tools
W32.Klez.E is a dangerous virus that spread through email.
Kaspersky give you the W32.Klez.E removal tools
For more information,please visit http://www.Kaspersky.com
Attached file: a Win32 PE EXE file with a random name, which has either an “.exe” extension or a double extension.
The worm uses an IFrame security breach to launch automatically when an infected message is viewed.
Payload
On the 6th of odd months, the worm executes a payload routine that fills all available files on a victim’s computer in local and network disks with random content. These files can’t be recovered and must be restored from a backup copy.
Other
Klez.e randomly and depending on different conditions attaches randomly selected files from the local disk to emails. Therefore the email message has two attached files: 1. a copy of the worm and 2. an additional file.
The worm looks for following file extensions for attachments:
.txt .htm .html .wab .doc .xls .jpg .cpp .c .pas .mpg .mpeg .bak .mp3
As a result, the worm is able to send personal or confidential information from the computer, disclosing it.
The worm scans for the active processes that contain the following strings, and terminates them:
Sircam
Nimda
CodeRed
WQKMM3878
GRIEF3878
Fun Loving Criminal
Norton
Mcafee
Antivir
Avconsol
F-STOPW
F-Secure
Sophos
virus
AVP Monitor
AVP Updates
InoculateIT
PC-cillin
Symantec
Trend Micro
F-PROT
NOD32

Details
I-Worm.Klez.a
This is a worm-virus that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57-65Kb (depending on its version) in length, and it is written in Microsoft Visual C++.
Infected messages have variable subjects and attachment names (see below). The worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed.
In addition to spreading in the local network and in e-mail messages, the worm also creates a Windows EXE file with a random name starting with “K” (i.e., KB180.exe), in a temporary folder, writes the “Win32.Klez” virus in it, and launches the virus. The virus infects the majority of Win32 PE EXE files on all available computer disks.
Start-up
When an infected file is started, the worm copies itself to a Windows system folder with the krn132.exe name. Then it writes to registry the following key to start automatically with Windows:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Krn132″ = “%System%\Krn132.exe”
where %System% is the name of the Windows system folder.
Then the virus searches for active applications (anti-viruses, see the list below) and forces them to unload using a Windows “TerminateProcess” command:
_AVP32
_AVPCC
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
SCAN
SMSS
Replication: e-mail
The worm uses SMTP protocol to send e-mail messages. It finds e-mail addresses in a WAB database and sends infected messages to these addresses.
The subject of the infected message is selected randomly from the following list:
Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don’t cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don’t you reply to me?
How about have dinner with me together?
Never kiss a stranger
The message body is the following:
I’m sorry to do so,but it’s helpless to say sory.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don’t call my names,I have no hostility.
Can you help me?
Attached file: Win32 PE EXE file with random name, which has either an “.exe” extension or a double extension:
name.ext.exe
The worm selects the filename (name.ext) using an original routine. It scans all available drives and finds there files with the following file-name extensions:
.txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg
It uses one of the found filenames (name.ext) as the base name of an attachment, then it adds a second extension, “.exe”. For example, “Ylhq.htm.exe”, “If.xls.exe”, etc.
The worm inserts its own “From:” field into infected messages. Depending on the random counter, it inserts there either a real e-mail address, or a fake randomly generated address.
An interesting feature of the worm is that before sending infected messages, the worm writes the list of found e-mail addresses in its EXE file.
All strings in the worm’s body (messages and addresses) are stored in an encrypted state.
Replication: local and network drives
The worm enumerates all local drives and network resources with written access and makes there its copy with a random name name.ext.exe (the name-generation routine is similar to one which is used to generate attachment names). After copying itself to network resources, the worm registers its copies on remote computers as system service applications.
Payload
On the 13th of even months, the worm executes a payload routine, which fills all files on all available victim s’computer disks with random content. These files can’t be recovered and must be restored from a backup copy.
Other versions
There are several modifications of this worm. I-Worm.Klez.a-d are similar, and have minor differences.
Klez.e-h are similar too, and have minor differences as well.

Details
I-Worm.Kitro.d

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the “mail.hotmail.com” server.
This version of the worm is similar to I-Worm.Kitro.b. It is a Control Panel applet, its size is 169984 bytes.
Installation
The worm copies itself to the Windows directory with following names:
PostalDeAmistad.pif
Cristo_Nos_EnseÓa.Doc.pif
Listado.txt.by.Microsoft.com
List.txt.by.Microsoft.com
PostalDeAmistad.pif
Facturas556.XLS.pif
EnLosAndes.pif
YaNoPuedoSerYoMismo.DOC.pif
ReparacionDeMessenger.DOC.pif
TestDeAmoryAmistad.DOC.pif
Once this is done the worm executes one of its copies in the Windows directory. It also randomly selects several of its copies and sets them up to be executed when Windows starts by writing the following autorun keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BNexe” = (one of the file names above)
“Zonavirus” = (path to the worm’s copy)
Depending upon internal conditions, the Zonavirus value may be overwritten with the current time value.
The worm also copies itself to the following locations:
c:\zonavirus.Dll
C:\Bn.exe
Replication via the Kazaa network
The worm copies itself in the Kazaa shared directory or in the C: root directory, if the former doesn’t exist.
Kitro also overwrites all files in the Kazaa shared directory with its copies and sets one of the overwritten files up to load when Windows starts by writing the following registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“KAZAAkCuF9″ = (Overwritten file’s name)
Replication via e-mail messages
The e-mail replication routine of this worm variant is similar to its previous versions. The worm sends its copies in e-mail attachments to the recipients of the .NET Messenger contact list. The messages that contain the worm may have various subjects and bodies.

Details
I-Worm.Kitro.c

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the “mail.hotmail.com” server.
This version of the worm is similar to I-Worm.Kitro.b. It is a Control Panel applet, its size is either 545792 bytes, or 236032 bytes (compressed). Its installation routine is the same as the one in the I-Worm.Kitro.b.
Replication via the Kazaa network
The worm copies itself in the Kazaa shared directory, or in the root directory of disk C:, if the former doesn’t exist.
Replication via e-mail messages
The e-mail replication routine of this worm variant is similar to its previous versions. The worm sends its copies in e-mail attachments to the recipients of the .NET Messenger contact list. The messages that contain the worm may have various subjects and bodies.

Details
I-Worm.Kitro.b

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the “mail.hotmail.com” server.
This version of the worm is intended to spread both via the e-mail messages and the Kazaa network. Due to errors in its code, the worm may fail to execute and replicate properly. The worm is a Control Panel applet (file with “CPL” extension), its size is 236032 bytes.
Installation
The worm copies itself to the Windows directory and the root directory of disk C: with a random name consisting of digits and “CPL” extension (for example, “832.cpl”). It also sets its copy up to load automatically when Windows starts by writing the following registry value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“(Worm’s file name)”=”rundll32.exe shell32.dll,Control_RunDLL (Worm’s file name)”
for example,
“832.cpl”=”rundll32.exe shell32.dll,Control_RunDLL 832.cpl”
Replication
The worm obtains email addresses of the .NET Messenger contact list recipients, and writes them to the files called “commfig.sys” and “K32.vxd” in the Windows directory. Then it tries to send infected e-mails to these addresses. Due to errors in the worms code, the worm may not be able to replicate.
Other
The worm tries to disable Kaspersky Anti-Virus and Panda Antivirus software by modifying the Windows system registry.
It also searches for and tries to close windows with the ‘Panda ActiveScan – Microsoft Internet Explorer’ title, and to delete files at the following locations:
(Kaspersky Anti-Virus common files path)\Bases\avp.set
C:\archiv~1\perav\pav.dll
C:\archiv~1\perav\per.dll
C:\program files\perav\pav.dll
C:\program files\perav\per.dll
(Windows directory)\vshield.vxd
(Windows directory)\system32\vshield.vxd

Details
I-Worm.Kitro.a

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the “mail.hotmail.com” server.
This version of the worm is able to spread only by sending itself in e-mail attachments. The worm is an EXE file, its size is 220160 bytes.
Installation
The worm copies itself to the following locations:
c:\system32.exe
c:\archiv~1\psycho.scr
The worm also sets its copy located in the root directory of disk C: up to start automatically with Windows by writing the following registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“msn”=”c:\system32.exe”
The worm gathers information about .NET Messenger contact recipients by reading “Permission” values from the following registry key:
[HKEY_CURRENT_USER\Software\Microsoft\MessengerService\ListCache\.NET Messenger Service]
Value names: Allow0, Allow1, etc.
It writes all addresses gathered into the file named kiltro.dat in the current directory. Messages that are sent by the worm contain an attached file named Psycho.scr. If the worm finds its copy already installed in the system it hides the system tray window and shows some messages.
Other
The worm creates the following text files:
c:\windat.vxd
c:\windat.dll
with the following contents:
Programado en Santiago de Chile por ErGrone

Details
I-Worm.Kiray

This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.
When the EXE-file is run the worm modify some of the keys in the system registry:
HKCR\exefile\shell\open\command”"=”c:\windows\temp\Kiray.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop=1
NoDrives=1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NetworkNoNetSetup=1
This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from “Desktop” and disks icons from “My computer” are hidden.
Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:
Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe

The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:
HKEY_CURRENT_USER\Software\Microsoft\WAB\
Finally the worm tries to remove all files in the following directories:
c:\windows\*.* c:\windows\system\*.* c:\Program Files\Microsoft Office\*.* c:\Program Files\Internet Explorer\*.*
The worm is only fully functional if the attachment is saved by the user to C:\WINDOWS\TEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm’s message is sent without the attached exe. file.

Details
I-Worm.Kelino

This worm virus spreads via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file with a length of about 12Kb, written in Assembler.
The infected messages have different data depending on the worm version:
From (two variants):
“Microsoft Support”
“Microsoft HelpBoard”

Subject: Support Message
Body (first variant):
During the last time, many bugs were found in our software. Because
of our product philosophie, we want to give our custumers as much security
as possible. So we decided to send out to all known Microsoft custumers the
NetBios patch Version 1.0 . This patch will fix all the known and possibly unknown
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get an OK message box.
Thanx for using Microsoft products.

Your Microsoft Support Team

Body (second variant):
During the last time, some bugs were found in our software. Because
of our product philosophy, we want to give our customers as much security
as possible. So, we decided to send out to all known Microsoft custumers the
Security patch Version 1.0 . This patch will fix all the
bugs and securityholes on port 137 and 139 .
The patch is completly free and easy to install. Our patch will install
itself after starting and run as background process. After a successfull
installation you should get a confirmation message box.
Thank you for using Microsoft products.

Your Microsoft Support Team

Attachment:
netbiospatch10.exe
secpatch10.exe

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory with one of the following names (depending on worm version):
netbiospatch10.exe
secpatch10.exe

and registers its copy in the system registry auto-run key (depending on worm version):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
netpatch = netbiospatch10.exe
secpatch = secpatch10.exe

The worm then displays a fake error message:
KERNEL32 ERROR
Couldn’t execute frame buffer!

Spreading
To send infected messages the worm gets email addresses from WAB database and connects to default SMTP server.
The worm also sends notification message with empty body to its author:
From: “Kelaino”
To: kelaino@freenet.de
Subject: Slave Message

Details
I-Worm.Kadra

This is a Win32 PE EXE worm that spreads in e-mail messages using a system’s default MAPI client. When started, it copies itself to %WINDOWS%\Win32Dlw.EXE and %SYSTEM%\Win32Exp.EXE, then writes the following key to the registry to start automaically with Windows: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run RunExplorer=%SYSTEM%\Win32Exp.EXE
If the current month is Semptember, the worm draws the following message on the screen:
Kad sve izgleda da umire,allono se ustvari radja!
Then, the worm shows a message box with a ‘…’ title and the following text:
Moja jutra su sve jasnija,
Moja snaga je prodornija,
Moje rijeci silno odjekuj
Moj mac je ostriji,
Moje noci su sve hladnije.
…ali dan je blizi kad ce
ljudi shvatiti da su samo,
i nista drugo nego ono sto
sam i JA!

After displaying a message, the worm does nothing for 2 minutes, and then sends itself to all senders of e-mail messages stored in the default MAPI client inbox.
All messages sent by the worm have the following properties:

Message subject is: Bin Ladenov zivot.
File attached: Bin Ladenov Zivot.exe
Message body: Ako jos do sada niste znali ko je Bin Laden onda vjerovatno cete naci ovaj dokument interesantnim u kojem je prikazano nekoliko vaznih momenata u, u njegovom zivotu, cak dok je jos radio pri CIA!

Details
I-Worm.Jer

This is an Internet worm that spreads through IRC channels and also intends to spread via e-mail, but fails because of bugs in its code.
Installation
The worm has been placed by its author on a page on the www.geocities.com. The page has the title:
“<< THE 40 WAYS WOMEN FAIL IN BED”.
On 2 July 2000, the info about this page was announced to IRC channels and there were more than 1000 hits on that page for the first day. Fortunately, the worm had a bug in its e-mail infection routine, and it didn’t spread too far.
The “Jer” worm uses a primitive, but very effective way of penetrating computers. A Web site contains a script-program (the worm itself), which is automatically executed after a user opens an infected HTML page. Then a user receives a warning from the system whether to accept this unknown script or not. This method exploits so-called “mind breaches”: to avoid this annoying message, a user will answer “yes”. Right after this moment, the worm will be passed on to the computer.

The infected HTML page contains the VBS script in its body. Upon opening that page, the script automatically is executed and the worm gains control. It creates a copy of the infected HTML page in the Windows system directory with the JER.HTM name and registers it in the system registry in the autostart section:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GinSenG = “JER.HTM”
As a result, the worm will be automatically executed on each Windows startup.
Spreading
The worm then goes to the C:\MIRC directory and (if such a directory exists) creates a “SCRIPT.INI” file that contains the commands for the mIRC client. The worm writes to this file a set of commands to send an infected JER.HTM file to every computer that connects to the same channel as the infected computer. Additionally, this script provides access to the local disk of the infected computer to the IRC user who has typed a specified script keyword.
Payload
The worm makes some more changes in the system registry:
Disables desktop
Disables “Find” dialog box
Disables network properties dialog box
Removes “Shut Down” from “Start” menu
The worm also changes the Windows registration information:
Owner: I Love You, Min
Organization: GinsengBoy- 2000
Removal
To restore system settings, the original registry values have to be restored.
NOTE: It is recommended that only experienced users fix the Registry keys by using the Registry Editor. Incorrect access can cause serious problems that may require you to reinstall Windows. For information about how to edit the registry, view the Changing Keys And Values online Help topic in the Registry Editor (REGEDIT.EXE).
The following keys have to be removed from the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GinSenG
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
The following keys have to be changed to proper values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Version – Windows version (for example “Windows 98″).
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner – User name (Windows registered to)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization – Organization name (Windows registered to)

Details
I-Worm.Ivalid

This is a dangerous worm spreading through Internet attached to email messages. The worm itself is Windows application about 12K of size. To spread the worm uses SMTP and connects to “mail.bezeqint.net” email server to send infected messages.
The worm gets victim email addresses from HTML files. It searches for *.HT* files on the hard drive and looks for email addresses in there.
The infected messages have following data:
From: “Microsoft Support” [support@microsoft.com]
Subject: Invalid SSL Certificate
Attach: SSLPATCH.EXE
Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation
In case of error, or when infected messages are sent the worm encrypts all EXE files in current and all parent directories. While encrypting the worm uses standard Windows crypto API.
The worm also contains following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

Details
I-Worm.Ivalid

This is a dangerous worm that spreads via the Internet attached to e-mail messages. The worm itself is a Windows application about 12K in size. To spread, the worm uses SMTP and connects to the “mail.bezeqint.net” e-mail server in order to send infected messages.
The worm obtains a victim’s e-mail addresses from HTML files. It searches for *.HT* files on the hard drive and looks for e-mail addresses there.
The infected messages contain the following data:
From: “Microsoft Support” [support@microsoft.com]
Subject: Invalid SSL Certificate’,0Dh,0Ah
Attach: SSLPATCH.EXE

Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day, Microsoft Corporation
In case of an error, or when infected messages are sent, the worm encrypts all EXE files the in current and all parent directories. While encrypting, the worm uses standard Windows crypto API.
The worm also contains the following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

Details
I-Worm.Icecubes.a

This is an Internet worm that spreads as an attachment via e-mail. The worm itself is a Windows executable file about 18Kb in length. Upon being executed from an e-mail attachment, the worm installs itself to the system and hides its activity utilizing a humerous dialogue box that “configures” Windows icecubes.

While installing, the worm copies itself to the Windows system directory with WSOCK2.DLL name (note: not WSOCK32.DLL, not WSOCK2.VXD), and infects the original WSOCK32.DLL Windows library by writing its code to the end of the file. This library is usually locked by Windows for writing, and the worm uses a standard stick: it copies that file with a WSOCK32.INF name, infects this copy, and writes a “rename” command to the WININIT.INI file, which in turn will replace the original WSOCK32.DLL with an infected one upon the next Windows restart.
The worm code in the infected WSOCK32.DLL hooks the “send” function, and monitors all data that are sent. When a message is outgoing, the worm duplicates it with a second message with an attached ICECUBES.EXE file and:
Subject: Windows Icecubes !
Text:
I almost forgot. Look at what I found on the web. This tool scans your system for hidden Windows settings, better known as -Windows Icecubes-. These secret settings were built in by the Windows programmers. I think you might want to change them a little, just take a look !
The worm also logs Internet login names and passwords to a ICECUBE.TXT file in the Windows directory.
On July 1st, the worm displays the following message:
W9x.Icecubes / f0re [lz0]

Windows detected icecubes on your harddrive.
This may cause the system to stop responding.
Do you want Windows to remove all icecubes ?

Details
I-Worm.Hybris.a

This is an Internet worm that spreads attached to e-mail messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code that are executed depending on the worm’s needs, and these components can be upgraded from an Internet Web site.
The major worm versions are encrypted with a semi-polymorphic encryption loop.
The worm contains the text strings:
HYBRIS
(c) Vecna
The Worm Runs
The main worm target on a computer is the WSOCK32.DLL library. While infecting this file, the worm:
writes itself to the end of the last file section
hooks “connect”, “recv”, and “send” functions
modifies the DLL entry routine address (a routine that is activated when a DLL file is being loaded) and encrypts the original entry routine
If the worm is not able to infect WSOCK32.DLL (in case it is in use and is locked for writing), the virus creates a copy of that library (a copy of WSOCK32.DLL with random name), infects it and writes a “rename” instruction to WININIT.INI file. As a result, WSOCK32.DLL will be replaced with an infected image upon the next Windows startup.
The worm also creates its copy with a random name in the Windows system directory and registers it in the RunOnce registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {Default} = %WinSystem%\WormName
or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce {Default} = %WinSystem%\WormName
where %WinSystem% is the Windows system directory, and “WormName” is a random eight symbols name, for example:
CCMBOIFM.EXE
LPHBNGAE.EXE
LFPCMOIF.EXE
There is only possible reason for registering an additional worm copy in the “RunOnce” registry key: in case WSOCK32.DLL was not infected during the first worm run, and its infected copy was not created because of some reason, the “RunOnce” worm copy will complete the task upon the next Windows restart.
Infected WSOCK32.DLL
The worm intercepts Windows functions that establish a network connection, including the Internet. The worm intercepts data that are sent and received, and scans them for e-mail addresses. When an address(es) is/are detected, the worm waits for some time and then sends an infected message to that/those address(es).
Plugins
The worm’s functionality depends on the plugins that are stored in worm body encrypted with a RSA-like strong crypto algorithm with a 128-bit key. There are up to 32 plugins that can be found in different worm versions. These plugins perform different actions that can be updates from a Web page:

http://pleiku.vietmedia.com/bye/

so the complete worm functionality depends only on its host that is able to upgrade plugins on a Web page. The plugins on a page are encrypted with RSA-like crypto too.
The worm also updates its plugins by the using alt.comp.virus newsgroup. The worm, being active on a machine, connects to a news server (by using one of randomly selected servers – there are more than 70 addresses in the list), converts its plugins to newsgroup messages and posts them there. The Worm’s messages have a random-like Subject, for example:
encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
text RFRE rebibmTCDOzGbCjSZ
where first four chores are plugin “name” and following four chores are an encoded plugin “version”. As well as sending, the worm reads such messages from alt.comp.virus, obtains the plugin “name” and “version” and compares them with plugins that are currently used by the worm. In case the newsgroup has a message with a higher plugin version, the worm extracts it and replaces the existing one. So the worm uses alt.comp.virus to upgrade its plugins.
The worm also creates these plugins as disk files in the Windows system directory. They also have a random name, but the worm keeps being able to access them. The names may look as follow:
BIBGAHNH.IBG
DACMAPKO.ACM
GAFIBPFM.AFI
IMALADOL.MAL
MALADOLI.ALA
There are several different known plugins that:
1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting, the worm renames EXE files in the archive with a .EX$ extension and adds its copy with a .EXE extension to the archive (companion method of infection).
2. Send messages with encoded plugins to the “alt.comp.virus” neewsgroup, and obtains new plugins from there.
3. Spread virus to remote machines that have a SubSeven backdoor Trojan installed. The plugin detects such machines on the Net, and using SubSeven commands, uploads a worm copy to the machine and spawns it in there.
4. Encrypt worm copies with a polymorphic encryption loop before sending the copy attached to an e-mail.
5. Depending on system date and time (on September 16 and 24, and on 59 minute of each hour starting from year 2001 – in known plugins) the “spirale” effect is run.
The plugin creates random 8-bytes .EXE name in Windows system directory, unpacks “spirale effect” EXE code to there, and registers that file in the system:
under Win9x: in WIN.INI file in [windows] “run=” line under WinNT: in system registry in “Run=” key
6. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become to be worm droppers. When run they drop worm EXE file to TEMP directory and execute it.
While affecting DOS EXE file the plugin adds dropper code and worm body to the end of the file. These files are disinfectable.
While affecting Windows PE EXE file the plugin overwrites file code section to get a gap for worm code, and writes worm dropper code to that gap (if is has enough size). The plugin doesn’t touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file.
When such PE EXE file is run, the dropper code drops and activates the worm, then restores (unpacks) code section and returns control to the host file.
7. Randomly select a Subject, Message text and Attach name while sending the worm copies with e-mail messages:
From:
Hahaha [hahaha@sexyfun.net]
Subjects:
Snowhite and the Seven Dwarfs – The REAL story!

Branca de Neve porn?!
Enanito si, pero con que pedazo!
Les 7 coquir nains
Message texts:
C’etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient aidù ‘blanche neige’ toutes ces annùes aprøs qu’elle se soit enfuit de chez sa belle møre, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrùs du travail. Mais cette fois ils avaient un air coquinall
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter…
Faltaba apenas un dia para su aniversario de de 18 aTos. Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* sorpresa para su fiesta de compleaTos. Al entardecer, llegaron. Tenian un brillo incomun en los ojos…
Faltava apenas um dia para o seu aniversario de 18 anos. Branca de Neve estava muito feliz e ansiosa, porque os 7 an¿es prometeram uma *grande* surpresa. As cinco horas, os an¿ezinhos voltaram do trabalho. Mas algo nao estava bem… Os sete an¿ezinhos tinham um estranho brilho no olhar…
Attach names:
enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe
sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe
blancheneige.exe
sexynain.scr
blanche.scr
nains.exe
branca de neve.scr
atchim.exe
dunga.scr
anóo porn?.scr
As well as (depending on the plugin version):
The message Subject is a random combination of:
Anna + sex
Raquel Darian sexy
Xena hot
Xuxa hottest
Suzete cum
famous cumshot
celebrity rape horny
leather … e.t.c.

Attach name:
Anna.exe
Raquel Darian.exe
Xena.exe
Xuxa.exe
Suzete.exe
famous.exe
celebrity rape.exe
leather.exe
sex.exe
sexy.exe
hot.exe
hottest.exe
cum.exe
cumshot.exe
horny.exe
anal.exe
gay.exe
oral.exe
pleasure.exe
asian.exe
lesbians.exe
teens.exe
virgins.exe
boys.exe
girls.exe
SM.exe
sado.exe
cheerleader.exe
orgy.exe
black.exe
blonde.exe
sodomized.exe
hardcore.exe
slut.exe
doggy.exe
suck.exe
messy.exe
kinky.exe
fist-fucking.exe
amateurs.exe
The attached file name may also be a random eight bytes .EXE name, for example:
ADELHHAD.EXE
CFIMMHAG.EXE
DIEOPIDI.EXE
EABLLNEA.EXE
FKPODKFK.EXE
HJEOINHJ.EXE
OGNNFEOG.EXE
PFFCKEPF.EXE