V.I.R.U.S.

(Vital Information Resource Under Siege)

AND
WORMS

"Keep in mind that NOT everything that goes wrong with a

computer is caused by a virus or worm."
Introduction
A VIRUS is a small, executable program with the ability to replicate itself, usually
Without the permission or knowledge of the user.
The word "virus" is the generic term for worm, viruses and Trojans.
Computer viruses are called ‘viruses’ because they share some common characteristics of
biological viruses. Computer viruses like the biological viruses are task specific. They are
designed to infect a designated target. This can be a specific type of file or computer sub-
system. It must piggy back on top of some other program to get executed. It passes from
computer to computer like biological viruses pass from person to person. Fighting
computer virus is like human intelligence fighting against itself. Virus-masters
continuously upgrade their techniques to ensure their survival in the computing
Environment. Computer virologists face the task of combating new viruses that have
been developed by members of their own programming fraternity. Once they have found
an anti-virus software to take care of an existing virus, virus-meisters invent a new string
of viruses, which are even more difficult to decipher or crack.

Appearance of computer viruses is one of the most interesting developments in

Technology in the twentieth century. Computer viruses are mysterious but fascinating at
the same time. Every time a new virus hits, it makes the news. On the other hand they
Show how sophisticated they have become in terms of technology, and it is precisely our
dependence on technology that makes us so vulnerable.
Coming back to viruses... virus can add its code anywhere in the host program and/or the
system area of a hard disk or floppy disk. The host program is nothing but an executable
file like .EXE, .COM, etc. Anywhere in the file means that the virus code can get
appended in the beginning, end, in the middle or by simply placing a pointer to a different
location on disk where the virus can find it. It is coded in such a way that the virus code
gets executed first. Also, the code it appends to a file is normally not the complete source
code of the virus. It is just the self-replicating part so that it can attack more number of
programs.

Difference between a computer virus

and other programs
Viruses are designed to self-replicate, usually without the knowledge of the user.
They often contain “payloads”, action that the virus carries out separately from
replication.
Viruses can be hidden in:
Programs available on floppy disks or CDs.
E-mail attachments
Material downloaded from the web
Payload of computer viruses
Payload is the malicious activity, in which the virus carrying it performs. In short, we can
define payload as the extent of damage a virus is supposed to cause. A payload can be
triggered by a number of conditions like:

Certain date of month or year, execution.

Execution of certain programs
A built-in counter

Example of what payload can do

⇒ Delete files
⇒ Confidential information access and release
⇒ Ε-mail – unauthorized mass e-mailing
⇒ File modification
⇒ Over writing security settings.
⇒ System instability
⇒ Degrading system performance – steals system cycles.

Virus Behavior
In general, a virus has two phases, “infection phase” and “attack phase”. The first phase
is the infection phase, where the virus reproduces widely and the second is the attack
phase, where they do whatever damage they are programmed to do. Its presence can be
felt only when they activate themselves.

Infection phase
Virus writers have to balance how and when their virus should infect against the
possibility of being detected. Therefore the spread of infection may not be immediate.
This is the phase where the virus commences the acquisition of the system by first
infecting the identified target, second taking charge of the target and lastly by installing
its own command. These steps are coded in detail in the instruction code given to it by
the author.
No one knows when exactly a virus will infect other programs or in simple words when it
will activate itself. Some programs get executed each time they are executed, and some
viruses will infect upon a Trigger. You can never be sure that your system is not infected
by a virus after running an AV program a few times. This is because the virus would not
have started its infection phase. The virus writer will want his program to spread as far as
possible so that in the second phase, "The attack phase", the victim’s computer will have
a positive impact to the virus. Many viruses go resident on the memory. This provides an
upper hand for the virus, as it can wait for an external event before it starts the infection
and also the trigger used by the virus becomes hard to guess.

The resident virus frequently takes over portion of the system software to hide their
presence. This technique is called stealth.

Attack phase
Not all viruses attack, but all use system resources and often have bugs. Most of the
viruses do unpleasant things like deleting files or changing random data on your disk,
slowing down your PC, stealing passwords from the system and mailing it to a remote
email, etc. Viruses often delay revealing their presence by launching their attack only
after they have had ample opportunity to spread. This means that the attack phase can
start even after months of infection. This attack phase is optional. Many viruses simply
reproduce themselves and have no trigger for an attack phase.

Classification of Computer viruses

Viruses can be classified in a number of ways. One way of classifying them is as follows:
Environment
File Viruses
♦ Overwriting virus
♦ Parasitic virus or Cavity (space-filler) virus
♦ Companion virus
♦ File worms
♦ Link viruses or cluster viruses
♦ Source code viruses (OBJ, LIB viruses)
♦ Tunneling viruses
♦ Camouflage virus
Boot viruses
♦ Parity boot
♦ Boot-and-file virus
♦ System sector virus
Macro Viruses
Network Viruses
VB worms
Operating system (OS)
Different algorithms of work
Terminate and stay resident (TSR) virus
Stealth Algorithm
Armored virus
Polymorphic or self-encrypting capabilities
Logic bombs
FILE VIRUSES
These viruses are more in number. But after the introduction of macro viruses, macro has
taken over. The file virus either infects executables, or creates file doubles
(companionvirus), or use file system specific feature (link virus).Just as system sector
viruses can remain in memory and use stealth technique to hide their presence, file
viruses can also hide their presence this way. If you do a directory listing you will only
see a copy of the original file which it had saved to show when an attempt is made to
view the file. Some file viruses (such as 4096) also infect overlay files as well as the
more usual *.COM and *.EXE files. Overlay files have various extensions, but .OVR and
.OVL are common. Files with the extension .DLL are also capable of being infected.

Overwriting virus
The simplest virus works by locating a type of file they know how to infect (usually
.EXE or .COM) and overwriting part of the program they are infecting. When this
program is executed, the virus code executes and infects more files. These overwriting
viruses do not tend to be very successful since the overwritten program rarely continues
to function correctly and the virus is almost immediately discovered. But the
sophisticated file viruses save the original instruction when they insert their code into the
program. This allows them to execute the original program after the virus finishes so
everything appears normal.

Parasitic virus or
Cavity(space filler)virus
Parasitic virus changes the contents of the file while transferring copies of them. These
viruses are classified according to the method of their incorporation into the file. The
virus incorporation can be either at the top of the file or at the end of the file or even in
the middle. i.e. to parts of the file which are unused, also known as cavity. The
incorporation in the middle of the file is the most difficult, though there are number of
techniques to do this. Some virus compresses the transferred code so that the size of the
file is not altered. Also the necessity for a stealth algorithm would be saved. The Lehigh
virus was an early example of a cavity virus.

Companion virus
Companion virus creates a clone of the designated file, so that when the designated file is
run, its clone (i.e. virus) gets executed. This makes use of a DOS quirk that runs on COM
files before EXE files. The virus infects EXE files by installing a same-named COM file.
If abc.COM and abc.EXE are present in the same directory then on typing “abc” at the
prompt will result in the execution of the COM file and not the intended EXE file. This is
because COM files have more priority to EXE file and .BAT files. So what the virus does
here is, it will create a copy of the original file with the extension .COM and replace the
virus code inside it.
The companion virus infects your files by locating all files with names ending in EXE.
The virus then creates a matching file name ending in COM that contains the viral code.
This is because the .COM files have more priority to .EXE files. The .BAT files have a
priority less than that of the .EXE files.

File Worms
This is a modification of the companion virus. When they multiply they copy their code
to some other disk or directory and sometimes give their copies special names in order to
make the user run them first.

Link Virus or Cluster viruses

Cluster viruses change the directory so that when you try to run a program you first run
the virus. This infects your files not by changing the physical contents of your file or by
planting extra files but by changing the DOS directory information so that directory
entries point to the virus code instead of the actual program. When an infected file is
started, they force the OS to execute their code. This is done by placing a link in the file
so that the control gets transferred to the virus. Only one type of link virus is known, the
“DIR-II” family of viruses. There is only one copy of the virus on the disk. One can also
usually classify this type of virus as a fast infector. On any file access, the entire current
directory will be infected and, if the DOS path must be searched, all directories on the
path will typically be infected. This type of virus can cause serious problems if you don't
know its there. These viruses often use stealth techniques to hide their presence.

Source code viruses

Source code found on your system can be infected, usually by adding Trojan code to it.
Source code comes in many forms because of the many different types of compilers and
languages available. This is one reason why source code viruses are not particularly
common. A source code virus will not infect via source code but simply add Trojan
material to existing source code so that when it is compiled and run it does something
different than expected. Die Hard is one example of a type of source code virus.

Tunneling Viruses
Some viruses will attempt to tunnel under anti-virus monitoring programs in order to
bypass their monitoring functions. It finds the original program-interrupt handlers in DOS
and BIOS and calls them directly. It thus bypasses any activity monitoring program
which may be loaded and which can interpret the respective interrupt vectors in its
attempt to detect viral activity. Some antivirus programs will attempt to detect this and
then reinstall themselves under the virus. This might cause an interrupt war between the
anti-virus program and the virus and result in problems on your system. Some anti-virus
programs also use tunneling techniques to bypass any viruses that might be active in
memory when they load.

Camouflage Viruses
When scanners were less sophisticated it might have been possible for a virus to sneak by
as scanners sometimes did not display some alarms, knowing them to be false. This type
of virus would be extremely hard to write today. When anti-virus scanners were based
completely on signatures there was always the possibility of a false alarm when the
signature was found in some uninfected file (a statistical possibility). So the anti-virus
programmers used some sort of a logic that under right circumstances would ignore a
virus signature and not issue an alarm. While this "skip it" logic would stop the false
alarms, it opened a door for virus writers to attempt to camouflage their viruses so that
they included the specific characteristics the anti-virus programs were checking for and
thus have the anti-virus program ignore that particular virus. Anyway this type of virus is
difficult to code and not very common. Recent virus scanners not only check for virus
signatures but also check for their checksum details and integrity.

Batch File Virus

Batch files can be used to transmit binary executable code and either be or drop viruses.
This Virus type is not often found, it is possible to write a batch file that contains a virus.
In most cases the batch file is used to drop a memory or disk virus which then takes over
when the computer is next started. These don't always work. Normally they contain a
label which is what makes the whole thing work. The original Batch file containing the
virus dropper is copied to the root directory the output being redirected to the NUL
device so that we see nothing on the screen that indicates a copy had taken place.

e.g.: COPY %0.BAT C:\Q.COM>NUL

We all know very well that renaming a .BAT file to .COM file will result in nothing but
errors. But this is not the case when label is used. The text up to the label converts to
instructions the CPU can execute, but they do nothing. The CPU interprets the label as
instructions that cause the CPU to look ahead to the binary instructions in the batch file.
These binary instructions are the real virus (or virus dropper). The easiest way to identify
a Batch file virus is to see for files that are several thousand bytes long yet when you use
the DOS command TYPE to display it to the screen you only see a few lines, that is a tip-
off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file
portion and the binary instruction portion.

Sparse Infectors
This type of virus uses any one of a variety of techniques to minimize detection of its
activity. For example, this virus may only infect every 20th time a file is executed or it
might only infect files whose lengths are within narrowly defined ranges or whose names
begin with letters in a certain range of the alphabet, etc.

BOOT VIRUSES
Boot viruses either save themselves in the disk boot sector, or to the master boot record
(MBR), or change the pointer to an active boot sector. They infect the boot sector of a
floppy disk and the boot sector or MBR of a hard disk. They are mostly written in
assembly language. BRAIN is the first DOS virus. It also has the distinction of being the
first stealth virus.

Parity boot
Its payload displays the message Parity Check and freezes the OS, rendering the system
inoperable. This message is taken from an actual error message, which is displayed when
the memory is faulty. Consequently, the user of the computer is led to believe that his
memory is faulty rather than a disruptive virus infection.

Boot-and-file virus or
Multipartite viruses
These types of viruses have dual property. These viruses affect both files and boot
sectors. Tequila, Empire, 4096, stoned and Michelangelo are examples of this type of
virus. These viruses are also called Multi partite virus.

System Sector Viruses

System Sectors (Master boot record and DOS boot record) are often targets for viruses.
These viruses use all common boot techniques to infect and hide themselves. System
sectors are invisible to normal programs but are vital for correct operation of your PC.
Sectors are simply small areas on your disk that your hardware reads in single chunks.
System sector viruses modify the program in either the DOS boot sector or the MBR.
Since there isn't much space in the system sector (only 512 bytes), these viruses place
their code somewhere else on their disk. This sometimes causes problems when this spot
already contains data that is then overwritten. So they hide their code as bad sectors.
Since viruses are active in memory, they can hide their presence. Assume a system sector
virus is present in your system(say "Brain" the first known virus), when you try to use a
sector editor to look at the boot sector of an infected disk, the virus will intercept and the
attempt to read the infected boot sector and instead return a saved image of the original
boot sector. You will see the normal boot sector instead of the infected version. This is
also an example of the stealth property.

Macro Viruses
Pure data files cannot propagate viruses. But with extensive macro language programs
the line between the data file and the executable file can easily become blurred to the
average user. Pure data files are not viruses as they cannot be executed.
These viruses normally spread through the internet. You may get an attachment with a
message which when opened is programmed to run the macro automatically and infect
the computer. Macro viruses infect document files, electronic spread sheets and databases
of a number of commonly used software packages.

Network Viruses
Networking viruses extensively use networking protocols and capabilities of local and
global access networks to multiply. The operating principle of the network virus is its
capability to transfer its code to a remote server or workstation on its own. Full-scale
network viruses are capable of running their code on remote computers and/or pushing
the user to run the infected file.
Best examples of this virus would be: Morris virus, Christmas Tree, Wank Worm.
The characteristics of these viruses were:
⇒ Accessed address of other computers and send copies of themselves to those
addresses.
⇒ Created temporary files on system disks
⇒ Infiltrated computer memory from the networks
⇒ Spread across a computer network.

The errors in networking protocols were fixed only after a few epidemics broke out.
OPERATING SYSTEM VIRUSES
Each file or network virus infects files of one particular or several OS:
⇒ DOS
⇒ Windows 3.xx
⇒ Windows 95/NT/2000
⇒ OS/2, etc.

The(Terminate and Stay

Resident)TSR Capability Viruses
These viruses usually design a method by which they are put into memory when the
computer is booted and then run until the computer is shut down. While infecting a
computer it leaves behind its resident part in RAM, which then intercepts itself system
calls to target objects and incorporates itself into them.
Non-resident viruses do not infect computer memory and are active only for a limited
time. But they can leave small resident parts in the RAM which do not spread the virus.
Macro viruses are resident because they reside in computer memory during the entire
running time of the infected editor program.

Stealth Viruses
A virus must change things in order to infect a system. In order to avoid detection, a virus
will often take over system functions likely to spot it and use them to hide itself. A virus
may or may not save the original of things it changes so using anti-virus software to
handle viruses is always the safest option. A virus, by its nature, has to modify something
in order to become active. Unless the virus takes over portions of the system in order to
manage accesses to the changes it made, these changes will become visible and the virus
will be exposed. A stealth virus hides the modifications it makes. It does this by taking
over the system functions which read files or system sectors and, when some other
program requests information from portions of the disk the virus has changed, the virus
reports back the correct (unchanged) information instead of what's really there (the virus).
Of course, the virus must be resident in memory and active to do this.
Use of stealth is the major reason why most anti-virus programs operate best when the
system is started (booted) from a known-clean floppy disk. When this happens, the virus
does not gain control over the system and the changes and virus are immediately
available to be seen and dealt with. Monkey is an example of Stealth virus.
 Armored virus
Armored is a class that overlaps other classes of viruses, maybe multiple times. Basically,
an armored virus uses special "tricks" designed to foil anti-virus researchers. Any
antivirus researcher who wants to find out how a virus works must follow the instruction
codes in the virus. By using a variety of methods, virus writers can make this disassembly
task quite a bit more difficult. This usually makes the virus larger as well. An early virus,
Whale, made extensive use of these techniques.

Polymorphic Viruses
Polymorphic viruses produce varied but operational copies of itself by self-encryption
with a variable key to avoid detection by the virus scanners. There are even virus-writing
toolkits available to help make these viruses. To confound virus scanning programs, virus
writers created polymorphic viruses. These viruses are more difficult to detect by
scanning because each copy of the virus looks different than the other copies.

Virus Droppers
A dropper is a program that, when run will attempt to install a regular virus onto your
hard disk.
Dropper is a program designed to run and install (or "drop") a virus onto your system.
The program itself is not infected nor is it a virus because it does not replicate. So,
technically, a dropper should be considered a Trojan.
Often, because the virus is hidden in the program code, a scanner will not detect the
danger until after the virus is dropped onto your system. It's technically possible to write
a virus that also drops other viruses.

Logic Bombs
Just like a real, a logic bomb will lie dormant until triggered by some event. The trigger
can be a specific date, the number of times a particular file is executed, or even a specific
event such as when the hours, minutes and the seconds in the system clock coincide, etc.
After the bomb is triggered, it can do anything from changing a random block of data on
your disk to making the entire disk unreadable.

Virus Hoax
We have gone into great detail, explaining some of the terrible things to watch out for
with regards to viruses. We’ve also told you what some of the effects of a virus can be,
from being an annoyance on your computer, to wiping out your hard drive, destroying
your data. While viruses can be nasty things that do untold damage to your personal or
work computers, there are a few things you should be aware of.
First, not all viruses are viruses. In fact, sometimes the things that can cause the most
problems for you are the hoaxes.
You get an email from someone you know saying something like “there’s a virus on your
computer that your virus scanning software can’t remove!” Within the email are very
detailed instructions on what to look for and what to do with the virus when you find it –
and believe me you will find it.
Sounds scary doesn’t it? I mean, someone you know telling you that you ARE in fact
infected with a virus so sneaky that you’re brand new and up to date virus scanning
software with web trap, real time scanning and 1 billion virus signature dictionary can’t
find. And when you check, you will indeed find the “infected” file.
So, the first question is, how did the virus scanner miss it? After all, you have been
religiously updating your scanning software whenever a patch comes out right? And
you’ve scheduled weekly scans of all your drives right? So how did it miss it?
Simple; it’s not a virus, it’s a hoax.

The Worms
Worms are one type of particularly malicious code that can cause major damage to the
files, software, and data on your computer. They are sneaky and prolific, sometimes
copying themselves until they clog your system. While these tricky intruders can be
particularly difficult to detect, here is some information that may help you get the hook
into that worm.

Worms vs. Viruses

A worm's most insidious characteristic is its ability to distribute functional copies of itself
to other computer systems. While viruses rely on attaching to another program to be
executed, worms are free agents that can roam independently through networks,
propagating and wreaking havoc (although they are not automatically executed -they
must be manually opened).

The Danger of Worms:

• They spread easily. Worms' ability to spread themselves without attaching to

other programs makes their reproduction swift and their path of destruction wide.

• They are deceiving. Worms are often sent via email, disguised as a benign
attachment or game. For example, the Melissa worm used email address books to
send itself as an email from a friend. Recipients recognized and trusted the sender
and, therefore, opened the email attachment.

• They can cause serious damage. In recent cases, worms have carried a malicious
payload that was capable of doing serious damage to computer data. Some worms
rename and hide your files so they are inaccessible, others keep the file name and
 path but overwrite the data. Files can even be replaced with versions of the worm.
Deleted files can often be retrieved later -but not so if a worm overwrites them.

• They are easy to create. The code for creating worms can be found on Web
pages and Usenet groups dedicated to the topic. For anyone who knows basic
programming and where to look for information, creating a worm is not that
difficult.

Some popular Viruses

W32.CIH.Spacefiller (a.k.a Chernobyl)

The CIH virus, also known as Chernobyl, was first discovered in June 1998 in Taiwan.
CIH is a destructive virus with a payload that destroys data.
Virus also known as Chernobyl, PE_CIH, Win95.CIH, Win32.CIH,
W95/CIH.1003, CIH.Spacefiller
Systems affected Windows 95, Windows 98,Windows Me
Systems not affected DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000,
Windows NT, Windows XP

Payload Destroys data and causes possible damage to CMOS

Details

CIH is a virus that infects the 32-bit Windows 95/98/NT executable files, but can
function only under Windows 95/98 and ME. It does not function under Windows NT or
Windows 2000. When an infected program is run under Windows 95/98/ME, the virus
becomes resident in memory.
Although Windows NT system files can be infected, the virus cannot become resident or
infect files on a computer running Windows NT or Windows 2000. The virus does not
function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is
resident, the CIH virus infects other files when accessed.
The files infected by CIH may have the same size as the original files, due to the unique
infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it
breaks itself up into smaller pieces and inserts its code into these unused spaces. When
NAV repairs a file infected by CIH, it looks for these small viral pieces and removes
them from the file.
The first payload of CIH virus overwrites the hard disk with random data, starting at the
beginning of the disk (sector 0) using an infinite loop. The overwriting of the sectors does
not stop until the system has crashed. As a result, the computer will not boot from the
hard disk or floppy disk. Also, the data that has been overwritten on the hard disk will be
very difficult or impossible to recover. You must restore the data from backups.
The second payload tries to cause permanent damage to the computer. This payload
attacks the Flash BIOS (a part of your computer that initializes and manages the
relationships and data flow between the system devices, including the hard drive, serial
and parallel ports, and the keyboard) and tries to corrupt the data stored there. As a result,
nothing may be displayed when you start the computer. A computer technician would
need to fix this.

Recommended removal procedure

The easiest way to remove this virus is to run the CIH removal tool, and then scan with
NAV. The CIH removal tool safely detects and removes all the known strains of the
W95.CIH (Chernobyl) virus from memory in Windows 95 and Windows 98. If you run
this tool before the virus infects your system, the tool will inoculate the computer's
memory to prevent the W95.CIH virus from infecting your system until the next system
restart.

Download:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/k
ill_cih.exe

Win32/Explore.Zip Virus
ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself and enable further
propagation.

Systems affected Machines running Windows 95, Windows 98, or

Windows NT. Machines with filesystems and/or shares that are writable by a user of an
infected system.

Payload The program searches local and networked drives (drive

letters C through Z) for specific file types and attempts to erase the contents of the files,
leaving a zero byte file.

Details

ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself and enable further
propagation. Once installed, the program may also behave as a worm, and it may be able
to propagate itself, without any human interaction, to other networked machines that have
certain writable shares. The ExploreZip Trojan horse has been propagated between users
in the form of email messages containing an attached file named zipped_files.exe. Some
email programs may display this attachment with a "WinZip" icon. The body of the email
message usually appears to come from a known email correspondent, and typically
contains the following text:

I received your email and I shall send you a reply ASAP.

Till then, take a look at the attached zipped docs.
The subject line of the message may not be predictable and may appear to be sent in reply
to previous email. Opening the zipped_files.exe file causes the program to execute. It is
possible under some mailer configurations that a user might automatically open a
malicious file received in the form of an email attachment. When the program is run, an
error message is displayed:
Cannot open file: it does not appear to be a valid archive. If this file is part of a
ZIP format backup set, insert the last disk of the backup set and try again. Please
press F1 for help.
Payload
⇒ The program searches local and networked drives (drive letters C through Z) for
specific file types and attempts to erase the contents of the files, leaving a zero
byte file. The targets may include Microsoft Office files, such as .doc, .xls, and
.ppt, and various source code files, such as .c, .cpp, .h, and .asm.
⇒ The program may also be able to delete files that are writable to it via SMB/CIFS
file sharing. The program appears to look through the network neighborhood and
delete any files that are shared and writable, even if those shares are not mapped
to networked drives on the infected computer.
⇒ The program appears to continually delete the contents of targeted files on any
mapped networked drives.

☺ The program does not appear to delete files with the "hidden" or "system"
attribute, regardless of their extension.
Precautions
⇒ Blocking Netbios traffic at your network border may help prevent propagation via
shares from outside your network perimeter.
⇒ Disable file serving on workstations. You will not be able to share your files with
other computers, but you will be able to browse and get files from servers. This
will prevent your workstation from being infected via file sharing propagation.
⇒ Maintain a regular, off-line, backup cycle.

I Love You Virus

 There ain't no love
in this little bug!

If you receive email with a subject line with the phrase ILOVEYOU (all one word, no spaces) in
it… DON'T OPEN the attachment named Love-Letter-For-You.txt.vbs.

Discovered in May 2000, this virus spreaded across Asia, Europe and the United States
via e-mail messages titled "ILOVEYOU." The menace clogged Web servers, overwrote
personal files and caused corporate IT managers to shut down e-mail systems.

Virus also known as I-Worm.Loveletter, IRC/Loveletter, Love Bug, LOVE-

LET.VBS, LOVE-LETTER-FOR-YOU.TXT.vbs,
Loveletter, Troj/LoveLet-A, VBS.Loveletter.a,
VBS/LoveLet-A, VBS/LoveLet-B, VBS/LoveLet-C,
VBS/LoveLet-E, VBS/Loveletter.a, VBS/Loveletter.worm,
VBS_LoveLetter, veryfunny.vbs, WIN-BUGSFIX.EXE

How to keep yourself un-infected by this bug

Of course, first and foremost, never open any email attachment that you are uncertain of.
That said, I strongly recommended that if you do not use Visual Basic scripting , (Most
Don't) you should turn this option off. To do so:
⇒ Click your start button
⇒ Click on Settings
⇒ Click on Control Panel
⇒ Double-Click on the Add/Remove Programs icon
⇒ Click on the Windows Setup tab
⇒ Click on Accessories to obtain the details
⇒ Uncheck Windows Scripting Host if it is checked
⇒ Click "ok" to save any changes
Remember, the above will only protect you from the ILOVEYOU virus, and it's variants. Other
viruses can still get to your computer.

If you think you are infected

By now all the anti-virus companies have updates for the ILOVEYOU bug and can detect
if your computer is infected..

If your computer is infected you can delete the following files from your infected system:

⇒ MSKernel32.vbs in the Windows System directory

⇒ Win32DLL.vbs in the Windows directory
⇒ LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System
⇒ WinFAT32.EXE in the Internet download directory
⇒ script.ini in the mIRC directory
 MELISSA
Virus also known as W97M.Melissa.A, W97M.Melissa.Variant
Type Macro, worm
Payload Trigger Opening or closing infected documents

Payload

o Large scale e-mailing: Attemps to mail itself to up to 40 entries in the

Outlook address book
o Modifies files: Delete files from the root directory of drives F, H, I, L, M,
N, O, P, Q, S, X, and Z

Distribution

• Subject of email: My pictures USERNAME

• Target of infection: Word documents and the normal template

Details
As its primary payload, the virus attempts to use Microsoft Outlook to email a copy of
the infected document to up to 40 other people. When a user opens or closes an infected
document, the virus first checks to see if it has done this mass emailing once before by
checking the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\ with an "MP?" value.

If this key has a value "MP" set to the value "...by 22" then the mass emailing has been
done previously from the current machine. The virus will not attempt to do the mass
mailing a second time if it has already been done from this machine.

If it does not find the registry entry, it will do the email payload just like
W97M.Melissa.A. The difference is that it only sends to up to 40 addresses, the subject
line is "My Pictures USERNAME" where USERNAME is taken from a Microsoft Word
setting, and the email message is now blank.

The second payload now replaces the currently selected text of the document with:
Opening Microsoft Outlook...
Hint: Get Norton 2000 not McAfee 4.02

It also displays a message box with the following message:

Please Check Your OutLook Inbox E-Mail!

This variant also has a malicious payload that attempts to delete files from the root
directory of drives F, H, I, L, M, N, O, P, Q, S, X, and Z.

Removal
The additional Windows Registry value presents no harm. In fact, if it's already set to "by
22", it will prevent the mass emailing. If you'd like, you can easily remove this registry
value using Windows REGEDIT utility.

Pretty Park
This worm program behaves similarly to Happy99 Worm. It was originally spread by
email. When the attached program file, PrettyPark.exe, is executed, it may display the 3D
pipe screen saver.

Virus also known as Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV,

W32/Pretty.worm.unp, I-Worm.PrettyPark [Kaspersky],
W32/Pretty.gen@MM [McAfee], W32/Pretty [Sophos],
WORM_PRETTYPARK [Trend]

Type Worm

Systems affected Windows 95, Windows 98,Windows Me

Systems not affected DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000,
Windows NT, Windows XP

Payload Dial-up Passwords, System Information, ICQ Information,

Allows remote receipt, creation, deletion, and execution of
files

Distribution

• Subject of email: C:\CoolProgs\Pretty Park.exe

• Name of attachment: PrettyPark.EXE
• Size of attachment: 37,376 bytes
• Target of infection: Windows Registry

Details
PrettyPark.Worm is a worm that performs similarly to Happy99.Worm. This worm was
originally spread through a mass emailing. The program file attached to these email is
named PrettyPark.exe. When PrettyPark.exe is executed, it may display the Windows 3D
Pipes screen saver. It also does the following:

• It creates a file named Files32.vxd in the \Windows\System folder .

• It modifies the (Default) value from "%1" %* to FILES32.VXD "%1" %* in the
following registry key:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
• It tries to email itself, every 30 minutes, to addresses in your Internet address
book.
• It tries to connect to an IRC server and join a specific IRC channel. If it is
successful, the worm sends information to this IRC channel every 30 seconds to
keep itself connected and to retrieve any commands. By using IRC, the author or
distributor of the worm can access information on your system including:
• Computer name
• Product name
• Product identifier
• Product key
• Registered owner
• Registered organization
• System root path
• Version number
• ICQ identification numbers
• ICQ nicknames
• Your email address
• Dial-Up networking user name and passwords

In addition, being connected to IRC opens a security hole in which your computer
can potentially be used to receive and execute files.

Removal Tool

The easiest way to remove this worm is to use the Fix PrettyPark.Worm tool.
Download:
http://service1.symantec.com/sarc/sarc.nsf/info/html/fix.prettypark.html

Code Red Worm

The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing
service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run
IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability
contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is
located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
Virus also known as W32/Bady, I-Worm.Bady, Code Red, CodeRed,
W32/Bady.worm

Type Worm

Systems affected Microsoft IIS

Payload Degrades performance, spawns multiple threads and

use bandwidth, Causes system instability

Distribution

Target of infection: Unpatched systems running Microsoft Index 2.0 or Windows 2000
Indexing Service.

Details
The worm sends its code as an HTTP request. The HTTP request exploits a known
buffer-overflow vulnerability, which allows the worm to run on your computer. The
malicious code is not saved as a file, but is inserted into and then run directly from
memory.
Once run, the worm checks for the file, C:\Notworm. If this file exists, the worm does not
run and the thread goes into an infinite sleep state.
If the C:\Notworm file does not exist, then new threads are created. If the date is before
the 20th of the month, the next 99 threads attempt to exploit more computers by targeting
random IP addresses. To avoid looping back to infect the source computer, the worm will
not make HTTP requests to the IP addresses 127.*.*.* .
If the default language of the computer is American English, further threads cause Web
pages to appear defaced. First, the thread sleeps for two hours, and then hooks a function,
which responds to the HTTP requests. Instead of returning the correct Web page, the
worm returns its own HTML code.
The HTML displays:
Welcome to http:// www.worm.com !
Hacked By Chinese!
This hook lasts for 10 hours and is then removed. However, re-infection or other threads
can rehook the function.
Two versions of this worm have been in the wild. The second version does not cause the
Web pages to be defaced.

Also, if the date is between the 20th and 28th of the month, the active threads then
attempt a Denial of Service (DoS) attack on a particular IP address, by sending large
amounts of junk data to port 80 (Web service) of 198.137.240.91, which was
www.whitehouse.gov. This IP address has been changed and is no longer active.
Finally, if the date is later than the 28th of the month, the worm's threads are not run, but
are directed into an infinite sleep state. This multiple-thread creation can cause computer
instability.
Removal Instructions
Symantec Security Response has created a tool to perform a vulnerability assessment of
your computer and to remove the CodeRed Worm and CodeRed II.
http://www.symantec.com/avcenter/venc/data/codered.removal.tool.html

W32/Klez
Virus also known as W32/Klez.e@MM,W32/Klez.h@MM,
W32/Klez.gen@MM,WORM_KLEZ.E, WORM_KLEZ.G,
I-Worm.Klez.e, I-Worm.Klez.h, W32/Klez-E, W32/Klez-
G, W32/Klez-H

Type Virus, Worm

Systems affected Windows 95, Windows 98, Windows NT, Windows 2000,
Windows XP, Windows Me

Systems not affected DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX

Payload Infects the system with the W32.ElKern.3326 virus

Large scale e-mailing: Emails to addresses found in the
address book

Distribution

• Subject of email: Random subject

• Name of attachment: Random attachment with the .BAT, .EXE, .PIF, or .SCR
extension
• Size of attachment: Approximately 60KB
• Shared drives: Infects the shared and mapped drives

Details
W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for
email addresses and sends messages to all the recipients that it finds. The worm uses its
own SMTP engine to send the messages.
The subject and attachment name of the incoming emails are randomly chosen. The
attachment will have one of the extensions: .bat, .exe, .pif, or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express to try
execute itself when you open or preview the message. W32.Klez.gen@mm attempts to
copy itself to all the network-shared drives that it finds.
Depending on the variant of the worm, it will drop one of the following viruses:

• W32.Elkern.3326
• W32.Elkern.3587
• W32.Elkern.4926

which then infects the system.

Email spoofing
Some variants of this worm use a technique known as "spoofing" by which the worm
randomly selects an address it finds on an infected computer. The worm uses this address
as the "From" address when it performs its mass-mailing routine. Numerous cases have
been reported in which users of uninfected computers received complaints that they sent
an infected message to another individual.
If you are using a current version of Norton AntiVirus and you have the most recent virus
definitions, and a full system scan with Norton AntiVirus, which is set to scan all the
files, does not find anything, your computer is not infected with this worm.

Removal
Symantec Security Response has developed a tool to remove all the known infections of
W32.Klez and W32.ElKern. Try this tool first, as it is the easiest way to remove the
threats.
Download tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

BugBear
• A variant of W32.Bugbear@mm.
• A mass-mailing worm that also spreads through network shares.
• Polymorphic and also infects a select list of executable files.
• Possesses keystroke-logging and Backdoor capabilities.
• Attempts to terminate the processes of various antivirus and firewall programs.

Virus also known as Win32.Bugbear.B[ComputerAssociates],

W32/Bugbear.b@MM[McAfee],PE_BUGBEAR.B[Trend],
W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [Kaspersky],
W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]

Type Virus, Worm

Systems affected Windows 95, Windows 98, Windows NT, Windows 2000,
Windows XP, Windows Me
Systems not affected DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX

Payload Large scale e-mailing : Sends itself to the email addresses

harvested from the current Inbox, as well as in the files
with the following extensions: .mmf, .nch, .mbx, .eml,
.tbb, .dbx, .ocs.
Releases confidential info: Logs keystrokes,
Compromises security settings: May allow unauthorized
access to compromised machines.
Attempts to terminate the processes of various antivirus
and firewall programs.

Distribution

• Subject of email: Varies

• Name of attachment: Varies, with double extension ending in .exe, .scr, or .pif.
• Size of attachment: 72,192 bytes
• Ports: 1080
• Shared drives: Copies itself to accessible shares.
• Target of infection: Infects a specific list of PE files.

Details
When W32.Bugbear.B@mm runs, it copies itself to the \Startup folder as a filename,
which is composed of a few characters, such as ????.exe, where the question mark
symbol (?) represents the letters that the worm chooses.
For example, the worm may copy itself as:

• C:\Windows\Start Menu\Programs\Startup\Cyye.exe when it runs on a Windows

95/98/Me-based system.
• C:\Documents and Settings\<current user name>\Start
Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based
system.

Mass-mailing routine
When the mass-mailing routine runs, it does the following:

1. Searches for the email addresses in the current Inbox, as well as in the files with
the following extensions:
• .mmf , .nch , .mbx , .eml , .tbb , .dbx , .ocs

2. Retrieves the current user's email address and SMTP server from the registry key:
 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account
Manager\Accounts

3. Uses its own SMTP engine to send itself to all the email addresses it finds. As
part of the routine, the worm spoofs the From: address.

The worm can reply or forward an existing message, or create a new message with one of
the following subject lines:

• Hello!
• update
• hmm..
• Payment notices
• Just a reminder
• Correction of errors
• history screen
• Announcement
• various
• Introduction
• Interesting...
• I need help about script!!!
• Stats
• Please Help...
• Report
• Membership Confirmation
• Get a FREE gift!
• Today Only
• New Contests
• Lost & Found
• bad news
• wow!
• fantastic
• click on this!
• Market Update Report
• empty account
• My eBay ads
• Cows
• 25 merchants and rising
• CALL FOR INFORMATION!
• new reading
• Sponsors needed
• SCAM alert!!!
• Warning!
• its easy
• free shipping!
• News
 • Daily Email Reminder
• Tools For Your Online Business
• New bonus in your cash account
• Your Gift
• Re:
• $150 FREE Bonus!
• Your News Alert
• Hi!
• Get 8 FREE issues - no risk!
• Greets!

For the attachment filename, the worm uses filenames in the My Documents folder
location, which have one of the following extensions:

• .reg
• .ini
• .bat
• .diz
• .txt
• .cpp
• .html
• .htm
• .jpeg
• .jpg
• .gif
• .cpl
• .dll
• .vxd
• .sys
• .com
• .exe
• .bmp

Then, the filename is concatenated with one of the following extensions:

• .scr
• .pif
• .exe

In addition, the filename can consist of one of the following words:

• readme
• Setup
 • Card
• Docs
• news
• image
• images
• pics
• resume
• photo
• video
• music
• song
• data

The content type of the message is matched to the file type, and can be one of the
following:

• text/html
• text/plain
• application/octet-stream
• image/jpeg
• image/gif

Finally, the email message may be composed with or without using the Incorrect MIME
Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically
execute on a vulnerable system.
Local and network file infection
The worm will also infect the files on the local and network shares, which match the
following filenames. The worm appends itself and is polymorphic.

• scandskw.exe
• regedit.exe
• mplayer.exe
• hh.exe
• notepad.exe
• winhelp.exe
• Internet Explorer\iexplore.exe
• adobe\acrobat 5.0\reader\acrord32.exe
• WinRAR\WinRAR.exe
• Windows Media Player\mplayer2.exe
• Real\RealPlayer\realplay.exe
• Outlook Express\msimn.exe
• Far\Far.exe
• CuteFTP\cutftp32.exe
• Adobe\Acrobat 4.0\Reader\AcroRd32.exe
 • ACDSee32\ACDSee32.exe
• MSN Messenger\msnmsgr.exe
• WS_FTP\WS_FTP95.exe
• QuickTime\QuickTimePlayer.exe
• StreamCast\Morpheus\Morpheus.exe
• Zone Labs\ZoneAlarm\ZoneAlarm.exe
• Trillian\Trillian.exe
• Lavasoft\Ad-aware 6\Ad-aware.exe
• AIM95\aim.exe
• Winamp\winamp.exe
• DAP\DAP.exe
• ICQ\Icq.exe
• kazaa\kazaa.exe
• winzip\winzip32.exe

•
Network share infection
The worm enumerates all the network shares and computers and attempts to copy
itself to those shares. Also, the worm attempts to copy itself to the Windows
Startup folder located on remote systems.

The worm does not differentiate between computers and printers. Thus, the worm
will inadvertently attempt to queue itself as a print job on network-shared printers.

Backdoor routine
The worm also opens a listening port on port 1080. The worm's creator can connect to
this port and perform the following actions:

• Delete files.
• Terminate processes.
• List processes and deliver the list to the worm's creator.
• Copy files.
• Start processes.
• List files and deliver the list to the worm's creator.
• Deliver intercepted keystrokes to the worm's creator in an encrypted form. This
action could release confidential information typed on a computer (passwords,
login details, and so on).
• Deliver the system information to the worm's creator in the following form:
• User: <user name>
• Processor: <type of processor used>
• Windows version: <Windows version, build number>
• Memory information: <Memory available, and so on>
 • Local drives, their types (for example, fixed/removable/RAM disk/CD-
ROM/remote), as well as their physical characteristics.

Removal
Symantec Security Response has created a tool to remove
W32.Bugbear.B@mm,which is the easiest way to remove this threat.
Download tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.t
ool.html