Thursday

FUNLOVE VIRUS


Information about Funlove virus:

This virus infects 32 bit Windows Executable PE files under Windows 95, Windows 98 and Windows NT. When an infected file is run, the virus stays resident in memory and creates a file FLCSS.EXE, which is a dropper file under Windows System directory.

The infection procedure searches for all the local drives for PE files and infects all type of extensions that have PE format. It infects mapped network drive file, if user has write permission.This virus inserts the following string in the infected file

~Fun Loving Criminal~

Funlove will not infect the files that are starting from following FOUR letters

ALER, AMON, AVP3, AVPM, DDHE, DPLA, F-PR, MPLA, NAVW, SCAN, SMSS

Funlove virus first appeared in November 1999


Other names of Funlove virus:
This worm is also known as Win32.FLC.

posted by jasdeep_grover26 @ 1:41 PM   0 comments

WIN32/DONUT.A


Information about the Win32/Donut.A :

Win32/Donut is the first virus to use Microsoft's .NET.

When an infected file is executed, it searches for executable file types of .NET. It replaces the 5 Bytes stub of the file entry point and infects it by replacing it with a jump instruction. While infecting it checks for platform and infects Windows 2000 or Windows XP. It tries to infect all the .EXE files under current directory. It may copy itself repeatedly by adding a space to the filename to the existing filename.

Some times it may display a message box with the following content!.

This cell has been infected by dotNET virus!
NET.dotNET by Benny/29A

This worm first appeared on 9th January 2002.


Other names of Win32/Donut.A:
This worm is also known as Donut, W32.Donut.A.

posted by jasdeep_grover26 @ 1:39 PM   0 comments

KRIZ VIRUS


Information about Kriz virus :

This virus infects 32 bit Windows Executable PE EXE files under Windows 95, Windows 98 and Windows NT. When an infected file is run, the virus stays resident in memory and infects other clean files.

The virus carries a payload which triggers on December 25th. After the payload is triggered, the computer will not boot. The kriz virus can damage the contents of the BIOS flash memory chip, just like the Win32.CIH virus. (Most of the new computers sold (80486 and later CPUs) have their BIOS programmed into the flash memory chips). This virus may also attempt to directly erase the contents of disk sectors.

Kriz virus first appeared in August 1999


Other names of Kriz virus:
This worm is also known as Win32/Kriz, Win32.Kriz.3862, Win32.Kriz.3740.

posted by jasdeep_grover26 @ 1:37 PM   0 comments

SHOEREC VIRUS


Information about the Shoerec virus:

This virus infects all 32 bit Windows Executable (EXE) files under Windows 95, Windows 98 and Windows NT. This virus is rapidly spreading in Newsgroups and carries name as FUN.EXE, BOXING.EXE or NOSTRESS.EXE. This file appears as a shockwave file, on execution it displays a picture of a Boxer. Using the toolbar options boxer can be hit.

It chooses a random letter and searches directory tree. After which it infects the files starting with that letter. It carries a payload wherein, virus changes the icon settings on the desktop as if icons are running away from the mouse pointer. It also deletes number of files randomly from the system.

Shoerec virus first appeared in March 2000.


Other names of Shoerec:
This virus is also known as Shoerec.A, Win32/Shoerec.

posted by jasdeep_grover26 @ 1:35 PM   0 comments

WIN32/FINALDO.B VIRUS


Information about the Win32/Finaldo.B Virus :

This virus is found under 32-bit environment (Windows 95, Windows98, Windows NT based systems). This virus also possess worm characteristics. This virus spreads through email or file.

The virus arrives with a random subject carrying an executable file attachment. The attachment file will have China flag as its icon. The content of the mail will be blank. When the infected mail is opened or previewed under Microsoft Outlook or Microsoft Outlook Express, the virus gets activated. It drops Finaldoom.exe or Finaldoom.dll into the Windows\Temp folder. It infects .EXE, .OCX and SCR files on local and network drives by appending itself to the original file.

After this, it drops a file FINALDOOM.EML into Windows\Temp folder. The virus gains access to the SMTP and sends mail to the existing recepients in mailbox. It modifies .HTM, .HTML, and .ASP files on the local drives with JavaScript that causes FINALDOOM.EML getting control.

This worm first appeared on 7th November 2001.


Other names of Win32/Finaldo.B Virus:
This worm is also known as W32.Finaldo.B, W32/Finaldo.

posted by jasdeep_grover26 @ 1:05 PM   0 comments

W32/PERRUN VIRUS


Information about the W32/Perrun virus:

W32/Perrun is a JPEG file infector. When an W32/Perrun infected JPEG file is executed, it extracts a file called EXTRK.EXE. It appends virus code to other .JPEG files when executed. The virus makes changes to registry at the following location to execute the virus whenever a JPEG file is opened.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command

This virus first appeared on 13th June 2002.

Other names of W32/Perrun virus:
This worm is also known as Perrun, W32.Perrun.dr, PE_PERRUN.A.

posted by jasdeep_grover26 @ 1:05 PM   0 comments

W32/DETNAT VIRUS


Information about the W32/Detnat Virus:

W32/Detnat is a virus. The virus will infect Windows systems and spreads through network shares.
Once activated this virus searches for the shared folders in an infected computer and then infects all the .exe files found in the folder.
Upon execution of the infected .exe file, it copies the infected file to Windows Temp folder as cooler[random number].exe, it then disinfects the file and copies itself as the original file name in the current folder from which the virus was executed.

It tries to connect to the following websites and downloads and excutes a file.

[blocked].com/bbs/img/bbs.wos
[blocked].com/images/1.wos

This worm first appeared on May 03, 2006.

Other names of W32/Detnat Virus:
This Worm is also known as PE_DETNAT.A, Win32/Detnat.A.

posted by jasdeep_grover26 @ 1:00 PM   0 comments

W32/KITTYKAT VIRUS


Information about the W32/Kittykat Virus:

W32/Kittykat is a virus. The virus will infect Windows systems and spreads by infecting files with .rar extension.

This virus arrives as an .rar file. This .rar file contains start.bat file and many other randomly named files.

Once start.bat file is executed, it creates a executable file with name nrk.exe. This nrk.exe file infects all the files with .rar extension found in the infected computer.

This virus displays the following message once it completes infection.

Eppur si muove! - Defend your opinion!

This worm first appeared on May 09, 2006.

Other names of W32/Kittykat Virus:
This Worm is also known as PE_KITTYKAT.A, KittyKat.A.

posted by jasdeep_grover26 @ 12:57 PM   0 comments

W32/ASPLUX.A VIRUS


Information about the W32/Asplux.A Virus:

W32/Asplux.A is a virus. The virus will infect Windows systems.

The malicious Visual Basic Script (VBScript) arrives as a dropped file of another malware.

Upon execution, it attempts to infect all .ASPX files found in the C:\Inetpub\wwwroot folder by appending its code to the host file.

It does the infection by searching for the string in the .ASPX files.

The said string also serves as an infection marker. However, the infection routine of the virus may not execute properly, due to an error in its code.

This virus first appeared on July 22, 2006.


Other names of W32/Asplux.A Virus:
This virus is also known as VBS_ASPLUX.A, VBS.Asplux.

posted by jasdeep_grover26 @ 12:53 PM   0 comments

KENSTON VIRUS


Information about the Kenston virus:

This virus infects all 32 bit Windows Executable (EXE) files under Windows 95, Windows 98 and Windows NT. The virus does not stay in memory. It will infect other clean files in the directory when an infected file is run. Most of the infected files will not run under Windows NT.

Kenston virus first appeared in February 1999 and it is not in the wild.


Other names of Kenston:
This worm is also known as Win32/Kenston.

posted by jasdeep_grover26 @ 12:51 PM   0 comments

WIN32.MTX


Information about the Win32.MTX:

This virus is found under 32-bit environment (Windows 95, Windows98, Windows NT based systems). This virus has trojan and worm characterstics. This virus spreads through email.

The following are the infected files received as an attachment:

ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE


Opening the infected attachment launches the worm by dropping the files. Restarting the MTX virus infected computer would rename the dropped WSOCK32.MTX to original WSOCK32.DLL at the startup. The virus gains access to the SMTP and spread through the shared network folders. Apart from that, the following files are also dropped :

IE_PACK.EXE
MTX_.EXE
WIN32.DLL

It modifies registry at the following locations

HKLM\SoftwareHKLM\Software\Microsoft\Windows\CurrentVersion\Run

This worm then infects the window files having extensions EXE, SCR and DLL.

Win32.MTX virus first appeared in September 2000.


Other names of Win32.Mtx:
This virus is also known as Win32.MTX, I-Worm.MTX

posted by jasdeep_grover26 @ 12:46 PM   0 comments

W32/Compor.A Virus


Information about the W32/Compor.A Virus:

Win32/Compor.A virus gets activated upon execution of infected file. Once activated this virus infects files with .EXE extension that are executed in the infected system.

This virus needs .NET framework platform to be installed in the computer in order to infect the computer.

It copies itself as WebCompressor.EXE in the Windows System folder.

The virus modifies registry at the following location to load itself whenever a .EXE file is executed.

HKEY_CLASSES_ROOT\ExeFile\Shell\Open\Command

This Virus first appeared on March 15, 2006.

posted by jasdeep_grover26 @ 12:21 PM   0 comments

W32/Virut.A Virus


Information about the W32/Virut.A Virus:

W32/Virut.A is a virus. The virus will infect Windows systems.

Once activated this virus creates an event by name VT_3 to ensure that only one instance of virus is running in the computer.

It attempts to infect files with .exe and .scr extension, which are accessed in the infected computer.

The worm also has backdoor capabilities that connect to Internet Relay Chat (IRC) server using TCP port 65520. This will allow remote attacker to download files in the infected computer.

This worm first appeared on May 14, 2006.


Other names of W32/Virut.A Virus:
This Worm is also known as W32.Virut.A, PE_VIRUT.A .

posted by jasdeep_grover26 @ 12:19 PM   0 comments

W32/Renadoc.A Virus


Information about the W32/Renadoc.A Virus:

W32/Renadoc.A is a virus. The virus will infect Windows systems and spreads through network or mapped drives.

The virus may arrive as a dropped file from the network or mapped drive.

Upon execution, the virus copies itself as Direct.com in the Windows System folder.

This virus modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also modifies the following registry keys;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Policies\System

The virus checks for '.doc' files and overwrites them with a copy of itself. It may spread by overwriting document files that are located in mapped drives.

The virus also disables the following programs;

regedit.exe
taskmgr.exe
msconfig.exe

This virus first appeared on October 23, 2006.


Other names of W32/Renadoc.A Virus:
This virus is also known as W32.Renadoc.A.

posted by jasdeep_grover26 @ 12:14 PM   0 comments

W32/RENADOC.A Virus


Information about the W32/Renadoc.A Virus:

W32/Renadoc.A is a virus. The virus will infect Windows systems and spreads through network or mapped drives.

The virus may arrive as a dropped file from the network or mapped drive.

Upon execution, the virus copies itself as Direct.com in the Windows System folder.

This virus modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also modifies the following registry keys;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Policies\System

The virus checks for '.doc' files and overwrites them with a copy of itself. It may spread by overwriting document files that are located in mapped drives.

The virus also disables the following programs;

regedit.exe
taskmgr.exe
msconfig.exe

This virus first appeared on October 23, 2006.


Other names of W32/Renadoc.A Virus:
This virus is also known as W32.Renadoc.A.

posted by jasdeep_grover26 @ 11:51 AM   0 comments