1. Win32.Worm.Korgo.R
...ed for the presence of \"ID\" string; if it doesn\'t exist it is initialized with a string of 13 to 20 random characters.
Then it checks for \"Windows Update\" string in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key and if doesn\'t exist it cr...
2. Win32.Wallon.A@mm
...plorer start page and default search with:
http://www.google.com.super-fast-search.apsua.com/fast-find.htm
http://www.google.com.super-fast-search.apsua.com/search.htm
And will also create 5 buttons in Internet Explorer (named search, ENTERTAINMENT, PILLS, ...
3. Win32.Worm.Korgo.P
...ed for the presence of \"ID\" string; if it doesn\'t exist it is initialized with a string of 10 to 20 random characters.
Then it checks for \"Windows Update\" string in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key and if doesn\'t exist it cr...
4. Win32.Yahaa.D@mm
... xxxx is the random generated string from above. Also it will drop a file xxxx.txt in Windows directory where xxxx is the same string as above. This file contains a text written by the author.
Finally the worm checks to see if the host computer is connected to ...
5. Win32.Atak.B@mm
...er\"
There also is another string - an encrypted one - discovered in both versions, namely:
\"Developed by Melhacker(TM) for personal research only.\"
The string was found at offset 0xA238 (41528) in the upacked file:
The encryption is weak: all bits...
6. Win32.MyLife.I@mm
...This is another
mass-mailer in the Win32.MyLife
series, that spreads by e-mail (using Microsoft Outlook) to the user\'s contacts.
It was written in Visual Basic and packed using UPX.
It arrives as an attachment
to an e-mail message in this format:
Sub...
7. Win32.Moe.A@mm
...ent the file infector part is searching in Windows
directory for a file with a name randomly generated from the following string:
leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe
ex:
legin.exe
egino.exe
uiEsm.exe, etc
If it founds it exec...
8. Win32.Netsky.T@mm
... and encrypted hardcoded text string exists in the worm body:
\"Now we have programmed our backdoor, it cannot be used for spam relaying,only for Skynet distribution,
our advice: educate the users or update the smtp protocol, and heuristics cannot detect Skyne...
9. Win32.MyDoom.S@mm
...resses containing several sub-strings
downloads as \"winvpn32.exe\" and executes it from the following addresses:
http://www.xxxxxxxxxx.com/ispy.1.jpg
http://www.xxxxxxxxxx.com/coco3.jpg
http://www.xxxxxxxxxx.com/guestbook/temp/temp587.gif
http://xxxxxxxxx...
10. Win32.Cult.B@mm
...lAtlantic.net, Email.com
%rndstring% is a random generated string.
The worm sends itself trough e-mail under the following format:
From %name% %name@%rndserver%
%name% is a string randomly chosen from the following list:
Ellen, John, Sandra, Kaylee, Sandy, Mo...
|