The Kaspersky Lab Electronic Newsletter #27

23 Jul 2002
Virus News

Network Worms

  • I-Worm.Calil
  • Worm.Win32.Datom
  • I-Worm.Kitro (Family)
  • I-Worm.Kitro.a
  • I-Worm.Kitro.b
  • I-Worm.Kitro.c
  • I-Worm.Kitro.d
  • Worm.Win32.Ladex
  • Worm.P2P.Surnova
  • I-Worm.Tettona
  • I-Worm.Scalper
  • Worm.Win32.Nople

    Windows Viruses

  • Win32.HLLW.Juegos
  • Win32.Perrun
  • Win2K.Team

    Macro Viruses

  • Macro.Word.Xenixos


    Network Worms

    I-Worm.Calil Calil is an Internet worm. It spreads via the Internet as an attachment to infected e-mail messages. The worm sends messages that have the following properties:
    Subject: FW:FW: LILAC project video attach Attachment name: LILAC_WHAT_A_WONDERFULNAME.avi.exe Size of attachment: 12208 bytes. Message body: Things that the govt. dont want you to know
    To learn more details about this virus please click here. Worm.Win32.Datom Datom is a network worm. It replicates via shared network resources. The worm consists of 3 different files: MSVXD.EXE MSVXD16.DLL MSVXD32.DLL The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations. To learn more details about this virus please click here. I-Worm.Kitro (Family) Kitro is a family of Internet worms. They spread using infected e-mail messages and the Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses. Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server. To learn more details about this virus family please click here. I-Worm.Kitro.a Kitro.a is able to spread only by sending itself in e-mail attachments. The worm is an EXE file, its size is 220160 bytes. I-Worm.Kitro.b Kitro.b is intended to spread both via the e-mail messages and the Kazaa network. Due to errors in its code, the worm may fail to execute and replicate properly. The worm is a Control Panel applet (file with ".CPL" extension), its size is 236032 bytes. I-Worm.Kitro.c Kitro.c is similar to I-Worm.Kitro.b. It is a Control Panel applet with a size of either 545792 bytes, or 236032 bytes (packed variant). Its installation routine is equal to the one used in I-Worm.Kitro.b. I-Worm.Kitro.d Kitro.d is similar to I-Worm.Kitro.b. It is a Control Panel applet with a size of 169984 bytes. Worm.Win32.Ladex Ladex is a network worm that only works correctly under Windows NT/2000/XP. It is distributed on local networks and is a Windows PE EXE-file with a size of about 275KB and is written in Microsoft Visual C++. Payload
    The worm starts the "joke" program LADY.EXE which displays set of creeping flies which can "be killed" with the mouse cursor. To learn more details about this virus please click here. Worm.P2P.Surnova Surnova is a worm that replicates using Windows Messenger and Kazaa network software. It replicates by copying itself to the Kazaa shared folder and by sending copies of itself via Windows Messenger. To learn more details about this virus please click here. I-Worm.Tettona Tettona is a worm virus spreading via the Internet as an attachment to infected emails. The worm also has backdoor routine. The worm itself is Windows PE EXE file about 35KB in length (when compressed by Petite, its decompressed size - about 75KB) and written in Microsoft Visual C++. The texts and attached file names in infected messages vary, they depend on current date and Italian language support:
    Subjects are: Incredible.. Incredibile.. Urgente! (vedi allegato) Qualsiasi cosa fai,falla al meglio.
    To learn more details about this virus please click here. I-Worm.Scalper (AKA "FreeBSD.Scalper.worm", "ELF/FreeApworm", "ELF_SCALPER.A") "Scalper" is an Internet worm that infects FreeBSD servers by exploiting a vulnerability in the popular "Apache" web server software. It also acts as a backdoor in infected systems, accepting a variety of "orders" to run commands on the local machine, flood a specified IP address, send mails etc. To learn more details about this virus please click here. Worm.Win32.Nople Nople is a non-dangerous Win32 worm virus. The virus itself is a Windows PE EXE file about 51KB in length, written in Microsoft Visual C++. Nople copies itself to C:\WinNT directory with the "noplease_flash_movie.exe" name, then spreads with the same name over local networks and copies itself to shared network drives. The worm is able to spread over WinNT machines only. To learn more details about this virus please click here.

    Windows Viruses

    Win32.HLLW.Juegos It is a very dangerous Win32 worm virus. The virus itself is Windows PE EXE file about 14KB in length and written in VisualBasic. The virus copies itself to the system under the "c:\windows\System\Shell.exe" name, and to the A: floppy disk under the "a:\Juegos.exe" name. Thus the virus spreads from floppy disks to hard drives (only if a user runs the infected file on floppy disk), and from hard drives to floppy disks. To learn more details about this virus please click here. Win32.Perrun Perrun is a non-dangerous, non-memory resident parasitic Win32 virus. The virus itself is a Windows PE EXE file about 12KB in length (when compressed by UPX, the decompressed size is about 18KB),it is written in Visual Basic. The main virus feature is its ability to affect JPEG image files (compressed graphic images) and spread via the affected JPEG files. To learn more details about this virus please click here. Win2K.Team Win2K.Team is a Windows 2000/XP compatible companion virus using a "stream companion" infection method. A method based on a NTFS feature that allows it to create multiple data streams associated with a file. The virus itself is a Windows application (PE EXE file) about 4K in size. When run it executes the host file and then tries to infect all EXE files in the current directory. If the host file is absent, the virus shows the following message before infecting files: While infecting a file the virus creates a new stream associated with victim file, that stream has "ccc" name, i.e. complete stream name is "FileName:ccc". The virus then moves to the "ccc" stream of the victim file body (default stream, see above) and then overwrites the victim file body (default stream) with its (virus) code. While infecting files, the virus makes own temporary copy in the file with the "2002" name, and then deletes it after infection. That infection method should work on any NTFS system, but the virus checks system version and runs only under Win2000/XP. To learn more details about this virus please click here.

    Macro Viruses

    Macro.Word.Xenixos (Nemesis) Xenixos is an encrypted virus. It contains the macros: Drop, Dummy, AutoExec, AutoOpen, Dateiãffnen, ExtrasMakro, DateiBeenden, DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard. In some cases it sets the password "xenixos" for infected documents and displays the message:
    Diese Option ist derzeit leider nicht verfügbar. Fehler
    To learn more details about this virus please click here.

    Kaspersky Lab 10 Geroyev Panfilovtsev St., Moscow, Russia 125363
    Telephone/ Fax: +7 095 797 87 00
    E-mail: info@kaspersky.com
    WWW: http://www.kaspersky.com
    � 2002, Kaspersky Lab, Ltd. All rights reserved