Kaspersky Lab Int. Newsletter

23 Nov 2000
Virus News

WINDOWS VIRUSES

  • Win32.HIV
  • WinREG
  • Win95.ZHymn
  • LINUX VIRUSES

  • Linux.Winter
  • NETWORK WORMS

  • I-Worm.Energy
  • I-Worm.PIF.Fable
  • IRC-Worm.Godog
  • I-Worm.Req
  • JS.Trojan.Seeker
  • TestWorm
  • IRC-Worm.Tetris





  • WINDOWS VIRUSES

    Win32.HIV

    This is a dangerous per-process memory resident Win32 virus infecting PE EXE files (Windows applications) and MSI archives, "upgrading" itself from the Internet, and possessing E-mail spreading abilities. The virus is encrypted and uses "Entry Point Obscuring" technology to hide itself in infected files. The virus has about 6K of length.

    The virus uses anti-debugging tricks and halts a machine if SoftICE or another debugger is detected in the system.

    The virus also tries to disable the Windows file protection. To do that, it infects system files that are responsible for file protection: it overwrites the DEFAILT.SFC file with empty data (under Win98) or SFCFILES.DLL (under Win2000). This trick should work under Win98, and should not work under Win2000, where the system either blocks access to SFCFILES.DLL, or immediately restores it from backup.
    [ More... ]

    WinREG

    This is the first known virus infecting the Windows Registry database and registry files (.REG files). The idea of spreading is based on the fact that it is possible to execute a DOS Batch command from the Registry key, and that Batch command is the component of the same Registry key.

    The virus itself is a single instruction in the format of Windows REG files. This instruction, when it is processed by the REGEDIT Windows utility, forces REGEDIT to import a new Registry key:
    [ More... ]

    Win95.ZHymn

    This is dangerous memory resident Win9x virus about 20K in length, and written in Assembler. The virus infects PE EXE files, being written into the middle of a file.

    The virus has many routines that perform different actions: it infects .EXE and .SCR Windows applications; adds infected files to RAR and ZIP archives; patches anti-virus files and memory resident monitors; performs anti-debugging tricks; etc. The virus also has a very complex way of programming.
    [ More... ]




    LINUX VIRUSES

    Linux.Winter

    This is a harmless non-memory resident parasitic Linux virus. It is extremely small in size for a Linux virus - just 341 bytes (in the known virus version).

    When an infected file is run, the virus gains control, searches for ELF files (Linux executable files) in the current directory, then writes itself to the middle of the file to the non-used "Notes section" if there is one and it has enough size. While infecting, the virus overwrites "Notes" data in the section, but the program runs properly after that.

    The virus contains the text string:

    LoTek by Wintermute

    The virus has a routine that sets a host name (computer name) to "Wintermute", but this routine never gains control.




    NETWORK WORMS

    I-Worm.Energy

    This is an Internet worm spreading in attached RAR archives. The worm arrives to a computer as a SETUP.EXE file in an RAR archive that is attached to a message.

    When the worm is started (executed from an infected RAR archive), it copies itself to the Windows system directory with the ENERGY.EXE name, registers itself as a system service and stays in the system memory. In the background, the worm then looks for processes that use the MAPI library (e-mail library), copies itself to these processed, and hooks the MAPISendMail function. When a message with an RAR file attached is sent, the worm opens the archived RAR, and copies itself there with the name SETUP.EXE. As a result, all RAR archives that are sent from an infected machine contain a SETUP.EXE file with the worm body in it.

    The worm contains the text:

    [I-Worm.Energy] by Benny/29A
    I-Worm.PIF.Fable

    This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine.

    In infected systems, the worm can be found in three different forms:

    - as a PIF file itself
    - as a DOS BAT file spreading on a local computer
    - as an INI script to spread through IRC channels

    All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different.

    The worm also drops a VBS-script file-helper to spread by e-mail.
    [ More... ]

    IRC-Worm.Godog

    This is worm virus spreading through IRC channels. It is DOS program itself. When run it copies itself to MIRC directory (if MIRC software is installed) with "GhostDog.exe" name and creates the SCRIPT.INI mIRC script file in there. That script contains instructions that send worm copy to users that enter affected IRC channel. The script also hides messages if they contain the "virus" or "worm" words.

    The main worm feature it the fact that it generates polymorphic instructions in the SCRIPT.INI file. These instructions are mixed in order; characters are randomly up/lowercased; there are random number of random comment-lines in there. For example:

    n0=$40Yw840RIGlx6Amlp7G0JaZ4QTs840N
    n1=On 1^tExt^*WoRm*^*^{ /Ignore $nick | /closeMsg $NiCk }
    n2=$HyX5NMq840KBAfrpTGfj7Z0DuT5J6m840GXWb1lQcbe7V0ZpT5F5j840CTRwihMYW

    Despite on such strange appearance the script commands keep their functionality.

    I-Worm.Req

    This worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages, as many addresses are kept in MS Outlook contacts list.
    [ More... ]

    JS.Trojan.Seeker

    This script written in JavaScript language quietly changes browser's home page and search page without user confirmation.

    The script uses MS Internet Explorer 5.0 Typelib security vulnerability to create HTA file in Windows startup directory. This file automatically runs on next Windows statup and script in it gets control.

    Script in HTA file modifies system registy keys where home and search page addresses are specified (before modifying keys script stores their values into BACKUP1.REG and BACKUP2.REG files in Windows directory). After that script deletes HTA file (and itself).

    TestWorm

    This is encrypted worm virus affecting Tornado BBS (Bulletin Board System). Being run on a machine that has Tornado BBS software installed the worm looks for BBS system file, gets Download directory and FileList file names. The worm then copies itself to Download directory with TESTWORM.COM name, and creates reference to that file in FileList (usually that is the FILES.BBS file). The reference contains the fake text:

    Internet cracker (NEW)

    The worm also contains the text:

    Misdirected Youth
    IRC-Worm.Tetris

    This is IRC worm spreading via IRC channels. The worm itself is Win32 application about 70Kb of size. It has two main routines: infection and game, both ones are activated on infected program run. The first one infects the computer so that is will spread the worm copies further to IRC chats, the second one is working "Tetris" game that is to be implemented to disguise worm activity: this routine emulates real and complete "Tetris"-like game.
    [ More... ]