WINDOWS VIRUSES

INTERNET WORMS

LINUX VIRUSES

MULTIPARTITE VIRUSES

WINDOWS VIRUSES

Win32.Halen

This is a benign non-memory resident parasitic, polymorphic Win32 virus. It searches for PE EXE and SCR files in Windows, the Windows system and current directories, and then writes itself to the end of the file.

On Saturdays at 19:00 (GMT time, not local time), the virus displays a message box, and then slowly moves the screen image to the right:

Win32.Resur

This is a benign per-process memory resident parasitic virus. When an infected file is executed, the virus takes control, runs its infection thread (process) and returns control to the host file. The virus thread then is active in the background of the parent (host) process, scans subdirectory trees on all available drives and infects PE EXE files in there.

The virus uses a complex means of infecting - it processes a victim's file structure and incorporates its code to the file. The virus body itself is a standard PE EXE file with four sections: code, data, resources and fix up (relocation) table. Depending on the victim file structure, the virus either adds all its sections to the victim's file body as separated sections, or appends some of its section to existing ones. The virus then makes necessary changes in the victim's file headers, and modifies the program start up address, section numbers, and section addresses and sizes.

Resur.a,c

This virus contains text strings that in some cases are displayed by the virus:

I already told you this but...
Warning! Don't close this window
Win32/Resurrection by Tcp/29A
Hey you, stupid
29A

Resur.b

This is remake of original virus. Instead of displaying the above-written message, it forces the installed Internet browser to open the Web site "http://sennaspy.tsx.org". The virus also contains the text string:

Senna Spy Fenasoft 2000 Virus

Resur.d

This virus is encrypted. To decrypt its code when an infected file is run, the virus uses a very unusual method. While infecting files, the virus modifies the program Image Base, and generates special data in the Relocation Section (Fix up section). As a result, when the program is being relocated to real addresses in the Windows memory, the relocation procedure decrypts encrypted virus code.

This virus contains the text:

Win95/SVK by Tcp/29A

Win32.Idele

This is a memory resident encrypted parasitic Win32 virus. While infecting, the virus uses entry-point-obscuring technology (EPO) and does not modify the file entry procedure address, but patches program code with JMP_Virus instructions. When a program is run, and the infected code branch gets control, the virus code is activated.

The virus then runs a background "thread" and stays as a process of the infected application. As a result, the virus is per-process memory resident, and it is active until the moment an infected application is terminated.

Working in the background, the virus scans all disk drives, searches for PE EXE files there, and infects them. The infection routine has a bug, and in some cases, infected files are corrupted by the virus.

The virus does not manifest itself in any way. It contains the text string:

Idele virus version 1.9DoxtorL./[T.I]/Dec.Y2K'

INTERNET WORMS

I-Worm.Unis

This is an Internet worm that spreads with e-mails as an attached file and through IRC channels. The worm is also able to infect RAR archives, and it appends its code to RAR archive contents.

The worm functionality is based on so-called "plugins". The main worm component (Win32 EXE file about 12K of length) that is sent with emails and to IRC channels is just a "loader" that connects to a Web page and gets more worm components (plugins) from there, and then executes them. So, the worm functionality is completely dependent on plugins. There are five plugins known at the moment.

There Web page address depends on worm versions. There are addresses known at the moment:

http://hyperlink.cz/benny/viruses/
http://shadowvx.com/benny/viruses/

All known worm components (main EXE file and plug-ins) are compressed with TeLoc Win32 PE EXE files compressor.

The worm's code has many bugs, and infected files halt the system in most cases and fail to send its copies to the Internet. Thus, the worm has very few chances of being discovered in-the-wild.
[ More... ]

Worm.Shorm

This is a network worm that spreads over the local and global network. To spread, the worm connects to remote computers, and if the disk is shared for full access, the worm copies itself there to the Windows start-up directory (if it exists).

The worm also has password stealing ability. It gets RAS information (user name, phone numbers, passwords) as well as cached passwords, and sends them to two e-mail addresses: krenx@mail.ru and winam@mail.ru.

The worm itself is a Win32 application (PE EXE file) written in Delphi and compressed with a ASpach PE EXE compression utility. The worm body contains the text:

SharedWorm v1.2

Worm.Linux.Ramen

This is the first known worm infecting RedHat Linux systems. The worm was discovered in the middle of January 2001. The worm spreads itself from system to system by using a RedHat security breach (so called "buffer overrun" breach) that allows for the uploading to a remote system, and runs a short piece of code there that then downloads and activates the main worm component.

The worm has not tested in Kaspersky Lab, so all information below should be read as "the worm could do, if it really does work." We also have no confirmed reports about infected servers from our customers.

The worm uses three security breaches in RedHat versions 6.2 and 7.0, these breaches were discovered in summer-autumn 2000, at least three month before the worm had been discovered.

The worm also contains routines that intend to attack FreeBSD and SuSE machines, but these routines are neither activated, nor used in the worm's code.
[ More... ]

I-Worm.Trood

This is an Internet worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10K in length. The worm is able to infect Win9x/ME systems only.

When the worm is activated (executed by a user from an attached file), it installs itself to the system and displays the following fake message:

The worm code also contains the text strings:

I-Worm.Win9X.Troodon v1.0 Project
Developed by Clau.

I-Worm.Hermes

This is an e-mail worm that spreads by affecting MS Outlook. The worm itself is a Win32 executable file about 20K in length (the worm body is compressed, and when decompressed, it occupies about 60K). The worm is written in Visual Basic language.

The worm connects to MS Outlook by using MAPI functions, gets all addresses from the Address Book and sends messages to them. The messages contain the following:

Subject: Re:
Text: [%SenderName%]

where the sende'sr name is the name of the current user's e-mail account name.

The attachment name is randomly selected from the following variants:

Seti@home 3.x to 4.0 upd.exe
Seti@home_twk.exe
Seti_patch.exe
Lunetic!.exe
CIH.exe
Energy.exe
ftip.exe
Navidat.exe
Click_ME!.exe
Cenik.exe
Lunetic.scr
fucking.scr
micro$haft.scr
matrix.scr
reboot.scr
Pamela.scr
techno.scr
funny!.scr
Hermes.scr
School_in_da_flame.scr

I-Worm.Sint

This is an mail worm that spreads by affecting MS Outlook. The worm itself is a Win32 executable file about 30K in length. The worm is written in Visual Basic language.

When the worm is run, it copies itself to the Windows directories with the names:

C:\Windows\Vicevi_teza_odvala.txt.exe
C:\windows\system\Vicevi_teza_odvala.txt.exe

The second file is then registered in the system registry auto-run key.

The worm also copies itself with the same name to root directories of all available logical drives (local or remote).

The worm then connects to MS Outlook by using MAPI functions, gets all addresses from the Address Book, and sends messages to all of them. The messages contain:

Subject: Vicevi!
Attach: Vicevi_teza_odvala.txt.exe

Text body is written in Serbo-Croatian, and is randomly selected from four variants:

1. Cao! Izvini sto te uznemiravam ovako, ali evo saljem ti neke viceve koji cete sigurno oraspoloziti!

2. Vozdra! Evo pogledaj ove viceve koje sam i ja dobio neki dan! Pravo su smijesni!

3. Cao korisnice! Znam da sigurno nemas vremena da pogledas ove viceve koje ti saljem. Nadam se da ces imati vremena da ih pogledas!

4. Zdravo! Nemoram ti nista pricati...samo pogledaj ovu veliku kolekciju viceva ;)

LINUX VIRUSES

Linux.Zipworm

This is a harmless Linux virus affecting ZIP archives. When the virus is run, it looks for ZIP archives in the current directory, and add its copies there. While infecting, the virus does not use any external ZIP processing tool, but parses ZIP internal formats by itself. The virus' files in the archives have one of five possible names:

Ten motives why linux sux!
Why Windows is superior to Linux!
Is Linux for you? Never!
Is Linux immune to virus? NO!
zipworm!

The virus also contains the "copyright" text:

elf zip worm vecna

MULTIPARTITE VIRUSES

Demig

This is a harmless multipartite virus. It infects DOS, MS Windows and MS Office (Excel) files:

DOS: the virus infects COM, EXE and BAT files
Win32: PE EXE files and KERNEL32.DLL library
MS Office: creates Excel "virus dropper" file

The virus itself is a Win32 PE EXE program, and is able to perform all of its functions only run under the Win32 environment. Other infected components are "virus droppers." This means that the virus cannot spread directly from an infected file, but uses a trick to drop its Win32 copy from it. When an infected DOS file is run, or affected Excel sheet is opened, the attached virus routine creates the C:\DEMIURG.EXE file, extracts the Win32 virus code there and spawns that file. The main virus routine gets control then.

The virus is memory resident under Win32. The affected KERNEL32.DLL hooks file access functions (file opening, copying, moving, accessing file attributes) and infects COM, EXE and PE EXE files that are affected.
[ More... ]