The Kaspersky Lab Electronic Newsletter #28

17 Oct 2002
Virus News

Network Worms

  • I-Worm.Chet
  • I-Worm.Gismor
  • I-Worm.Pepex
  • Worm.P2P.Relmony

    Windows Viruses

  • Win32.Ramlide
  • Win32.Porex

    Linux Viruses

  • Linux.Gildo

    Trojan Programs

  • Backdoor.Cabrotor
  • Trojan.Spy.GreenScreen

    Macro Viruses

  • Macro.Word97.Nori

    Virus Constructors

  • Constructor.VBS.SSIWG
  • Network Worms

    I-Worm.Chet "Chet" is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 27KB in length and is written in Microsoft Visual C++. The worm activates from infected email messages only when a user clicks on the attached file. The worm then installs itself to the system and runs a spreading routine. To learn more details about this virus please click here. I-Worm.Gismor "Gismor" is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 8KB in length and is written in Assembler. Infected messages contain the following attributes (message fields):
    Mail From:
    From: MP3 Deluxe
    To: My best friends
    Subject: Phenomenal
    Body: body is empty
    Attach: MP3Player.exe
    To run from infected messages the worm uses the IFrame security breach. "Gismor" then installs itself to the system and runs its spreading routine. To learn more details about this virus please click here. I-Worm.Pepex "Pepex" is a worm virus spreading via the Internet as an attachment to infected emails and also through the Kazaa network and IRC channels. The worm itself is a Windows PE EXE file about 32KB in length (when compressed by UPX, the decompressed size is about 80KB). "Pepex" is written in Microsoft Visual C++. Infected messages have the following message field attributes:
    From: "Microsoft"
    Reply-To: "Microsoft"
    Subject: Internet Explorer vulnerability patch
    Body: You will find all you need in the attachment.
    Attach: setup.exe
    The worm activates from infected emails only when a user clicks on the attached file. "Pepex" then installs itself to the system and runs its spreading routines. To learn more details about this virus please click here. Worm.P2P.Relmony "Relmony" is an Internet worm that spreads in Kazaa and Morpheus peer-to-peer file exchange networks. The worm replicates by making its copies in these networks' shared folders. The worm is a Windows application (PE EXE file) about 29K in size and is written in Visual Basic. Installation
    The worm copies itself to the Windows auto-startup directories with the following names:
    C:\WINNT\system32\config\systemprofile\StartMenu\Programs\Startup\system.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.exe

    C:\WINDOWS\Start Menu\Programs\Startup\system.exe

    To learn more details about this virus please click here.

    Windows Viruses

    Win32.Ramlide "Ramlide" is a non-dangerous, non-memory resident parasitic Win32, encrypted virus. It infects Win32 applications only. While infecting the virus encrypts itself and writes itself to the end of the file. When the infected file starts the virus infects *.EXE, *.SCR, *.CPL files in the current directory, and it then infects the following files in the Windows directory: CALC.EXE, NOTEPAD.EXE, CDPLAYER.EXE, WRITE.EXE, PBRUSH.EXE. On the 7th, 12th, 17th and 22nd of any month the virus drops the "ramlide.bmp" image file and registers it as desktop wallpaper. To learn more details about this virus please click here. Win32.Porex "Porex" is a memory resident parasitic and companion Win32 virus. The virus itself is Windows PE EXE file about 37KB in length and written in Microsoft Visual C++. The virus affects files of two types: Win32 PE executable files, and files with the .DOC filename extension. The virus affects files only if file size is above 10KB and less than 21MB. The virus searches for victim files on all available drives and in all directories. While infecting EXE files the virus writes itself to the beginning of the file. To learn more details about this virus please click here.

    Linux Viruses

    Linux.Gildo "Gildo" is a non-dangerous, memory resident parasitic virus. It was written in Assembler and uses system calls (syscall) when working with files. The virus infects ELF files and writes itself to the middle of these files. Once being run the virus divides its work into two tasks. The resident part scans the directories from the root. The virus checks the access rights for each found file. If a file has write access the virus will infect it. While infecting files the virus increases its code section size by 4096 bytes and writes its code to free space. Next the virus changes the parameters of ELF file upper sections and sets up a new Entry point for it. The virus displays this message on each start:
    Gildo virus
    email Gildo@jazz.hm (for comments)
    To learn more details about this virus please click here.

    Trojan Programs

    Backdoor.Cabrotor "Cobrotor is a backdoor Trojan program (hidden remote control Trojan). The Trojan itself is a Windows PE EXE file written in Delphi. The original Trojan package contains three main executable files:
    CaBrONaToR.exe - client to send commands to remote server
    CaBrONeDiT.exe - server editor to modify default server settings
    8======D.exe - server (trojan itself)
    To learn more details about this virus please click here. Trojan.Spy.GreenScreen "GreenScreen" is a "spy" Trojan that installs itself to systema, hides itself and then captures screen images and saves them to disk files in encrypted form. Thus it allows a hacker to watch screen images. The Trojan itself is a Windows PE EXE file, compressed by AsPack and written in Delphi. The Trojan size differs depending on the specific Trojan version. To learn more details about this virus please click here.

    Macro Viruses

    Macro.Word97.Nori "Nori" is a dangerous macro virus that infects Microsoft Word documents when they are opened or created. As a result of virus activity the file "Iron.tmp" may appear in the root directory of drive C:. On April 1st the virus checks the system registry for the "RegisteredOrganization" key and if it equals
    "IRON"
    the virus destroys all the files on drive C:. If the "RegisteredOrganization" key contains any other value, the virus deletes the content of any document opened on April 1st. To learn more details about this constructor please click here.

    Virus Constructors

    Constructor.VBS.SSIWG "VBS.SSIWG" is script-worm construction tool. It was used to create the "SSIWG" virus families. The constructor is able to create worms, which can replicate using e-mail and IRC channels (using the mIRC or pIRCh programs). The worms created using this constructor can also:
    • start automatically in Windows
    • encrypt their code
    To learn more details about the constructor please click here.