Kaspersky Reports: The Other Ones

29 Nov 2001
Virus News

Another issue of Kaspersky Reports is here just in time for the holiday season. In this issue, we present the latest lesser known viruses.

By now, most users are familiar with Aliz and BadtransII because of their high infection level; but did you know about...?

Windows Viruses

Win32.Yerg

Macro-Viruses

Macro.Word97.Blaster

Network Worms

Worm.Bumerang
I-Worm.Kadra
IRC-Worm.Radex
I-Worm.Toil
I-Worm.Fintas
I-Worm.Paukor
I-Worm.Quamo

Security Breaches

JS.ActiveXComponent
Exploit.IFrame.FileDownload

Win32.Yerg

This is a relatively harmless, non-memory, resident, parasitic, encrypted Win32 virus. It searches for Win32 EXE applications (PE EXE files) with .EXE and .SCR file name extensions, then infects them.

Upon being run from the A: drive (floppy disk), the virus looks for victim files in the Windows system directory and in all parent directories.

For more details, see here.

Macro.Word97.Blaster

This is a dangerous macro-virus. It infects global a macro area upon opening an infected document. Other documents are infected upon closing. The infecting routine locates the virus' procedures "Document_Close" and "Document_Open" separately, and stores them on the disk file C:\CONT.DBL. When a victim's document is being infected, the infection routine adds the virus code from this file (C:\CONT.DBL) to a document, without destroying the document's macros. The exception are macros with the same names as the virus procedures contain, making the virus even stealthier.

For more details, see here.

Worm.Bumerang

This is a very dangerous Win32 virus-worm. The virus itself is Windows PE EXE file about 23Kb in length (compressed by UPX, with a decompressed size about 52K), and written in Microsoft Visual C++. It spreads via the local network, and infects Win32 EXE applications (PE EXE files) there. While infecting, the virus moves a file beginning to the file end, then writes itself to the beginning of the file. As a result, when an infected file is started, the virus code takes control.

For more details, see here.

I-Worm.Kadra

This is a Win32 PE EXE worm that spreads in e-mail messages using a system's default MAPI client. When started, it copies itself to %WINDOWS%\Win32Dlw.EXE and %SYSTEM%\Win32Exp.EXE, then writes the following key to the registry to start automaically with Windows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run RunExplorer=%SYSTEM%\Win32Exp.EXE

For more details, see here.

IRC-Worm.Radex

This is a virus-worm that spreads via IRC channels. The worm itself is a batch-script file about 3 Kb in length.

The worm copies itself to the following batch files:

C:\Windows\winstart.bat
C:\Windows\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\Win95\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\Win98\LINUX_SH_DOS_BAT_WIN_JS.bat
C:\WinME\LINUX_SH_DOS_BAT_WIN_JS.bat

The batch file drops and executes the JS file LINUX_SH_DOS_BAT_WIN_JS.JS. This JS file displays a dialogue window with the following Title/Subject:

Radix16/SMF
SH-BAT-JS

For more details, see here.

I-Worm.Toil

This is a virus-worm that spreads via the Internet, attached to infected e-mail, and infects Win32 applications on local computers and network resources. It uses the {"Win32.InvictusDLL":Win32_InvictusDLL} library to infect files.

The structure of infected files appears as follows:

 �=====================-
 � infected            �
 � file host           �
 �                     �
 �---------------------�
 ��polymorphic code   ��
 �� INVICTUS          ��
 ��                   ��
 �+-------------------+�
 ��body INVICTUS.DLL  ��
 �+-------------------+�
 ��worm body          ��
 �L--------------------�
 L=====================-

For more details, see here.

I-Worm.Fintas (Fintas.a)

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.

Installing

While installing, the worm copies itself:

to the Windows directory, Windows system directory and C: drive root - with the `.EXE name to the Windows TEMP directory - with a name that depends on the worm version:

FF8.EXE
FunnyFlash.EXE

For more details, see here.

I-Worm.Paukor

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 450Kb in length, and is written in Delphi. The worm has several components (main and additional) described below.

The infected messages have an attached FILES.EXE file (the worm itself), and have different text fields that are randomly selected by the worm from several variants (see below).

For more details, see here.

I-Worm.Quamo

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57Kb in length, and it is written in Visual Basic Script.

The infected messages contain differing subjects, bodies and attached-file names that are randomly selected from the following variants:

Subjects:
Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

For more details, see here.

JS.ActiveXComponent

This is an MS Internet Explorer and Outlook security breach (com.ms.activeX.ActiveXComponent security vulnerability).

The security flaw allows remote scripts and HTML pages to access to any ActiveX control installed on a victim's computer. The remote script can gain full contol over a victim's computer, including the ability to read and write files on hard disks.

For more details, see here.

Exploit.IFrame.FileDownload

Exploit takes advantage of a security breach in MS Internet Explorer 5.01, 5.5 and Outlook.

Some Internet worms use this breach to activate themselves from HTML e-mail messages. Examples of such worms are: Aliz, BadtransII, Nimda, and Toil.

For more details, see here.