HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FakeAV.104 (B) (Emsisoft), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)Behaviour: Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c766a59f7fb007cc31be48e30eb8b762
SHA1: 91a701cc572465240f94486f66687c0d4430c592
SHA256: d941f507ad0a7951da7c8a363a39a33a416aff90718d59a17fd50b56be48ca2d
SSDeep: 3072:6oWgx00cYK0wXx eZ7/VYNDa9CIjfEZwrJk Y0mQpE15XI pm0auT1xu78vXg17J:6oz03YO 8/iNoC8r6axpu4 pVRo8X1ch
Size: 274624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: Slimware Utilities, Inc.
Created at: 2012-12-22 11:37:06
Analyzed on: WindowsXP SP3 32-bit
Summary: Fake-AV. FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
%original file name%.exe:1800
The Fake-AV injects its code into the following process(es):
fmi.exe:1824
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1800 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\fmi.exe (274 bytes)
The process fmi.exe:1824 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
The Fake-AV deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process %original file name%.exe:1800 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 6F F9 40 73 25 7A BB 4C 3E 64 10 26 7E 44 07"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"
"DoNotAllowExceptions" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The process fmi.exe:1824 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fmi.exe -a %1 %*"
[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\exefile]
"(Default)" = "Application"
[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"
[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"
[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"
[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fmi.exe -a %Program Files%\Internet Explorer\iexplore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows]
"Identity" = "3044072876"
[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fmi.exe -a %1 %*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 A0 A4 AE 12 67 46 7C 37 E1 77 55 E5 48 CA 18"
[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"
The Fake-AV modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Fake-AV modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Fake-AV modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"
The Fake-AV deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1800
- Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Local Settings\Application Data\fmi.exe (274 bytes)
%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (191 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 35443 | 36864 | 4.56152 | f14f6ac149f4ccf5872ce617d1f6e7a0 |
.rdata | 40960 | 8172 | 8192 | 3.76252 | f7adf8d1ab2fde477bf098d1e3ed6a93 |
.data | 49152 | 8896 | 4096 | 2.45359 | 41bcbed02299352c9970270573a881af |
.vdata | 61440 | 1985010 | 217088 | 5.35219 | 401c164e967170cbe5abc5a30111139e |
.rsrc | 2048000 | 3426 | 4096 | 2.49303 | 52c30b1fb1e1f4652cc84f342fde641c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
a4e2543641e0484ea744bdff1c25d9f5
2f2e293c09da9bd5eb46190a2933183c
15a88fe1de85ed847c25adbb61df1f62
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Fake-AV connects to the servers at the folowing location(s):
Strings from Dumps
fmi.exe_1824_rwx_00401000_001F4000:
p.S
p.S
2010:06:04 04:17:53
2010:06:04 04:17:53
hXXp://ns.adobe.com/xap/1.0/
hXXp://ns.adobe.com/xap/1.0/
2010-06-04T04:17:53.229
2010-06-04T04:17:53.229
,!.fy
,!.fy
3d%D-
3d%D-
/X.Rp
/X.Rp
_U$%x
_U$%x
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
2010:06:04 04:07:41
2010:06:04 04:07:41
2010-06-04T04:07:41.468
2010-06-04T04:07:41.468
.IDATx
.IDATx
2010:06:04 04:18:38
2010:06:04 04:18:38
2010-06-04T04:18:38.428
2010-06-04T04:18:38.428
HTTP/1.0 200 OK
HTTP/1.0 200 OK
Date: %s
Date: %s
Expires: %s
Expires: %s
Content-Type: %s
Content-Type: %s
2010:06:04 04:19:08
2010:06:04 04:19:08
2010-06-04T04:19:08.340
2010-06-04T04:19:08.340
]sM-H%x
]sM-H%x
P%Sp
P%Sp
{]m%X-de
{]m%X-de
2010:06:04 04:19:40
2010:06:04 04:19:40
2010-06-04T04:19:40.162
2010-06-04T04:19:40.162
$%.wH
$%.wH
B.fAk
B.fAk
00000000
00000000
2010:06:04 04:20:15
2010:06:04 04:20:15
2010-06-04T04:20:15.844
2010-06-04T04:20:15.844
9%D,3
9%D,3
gdiplus.dll
gdiplus.dll
user32.dll
user32.dll
wsock32.dll
wsock32.dll
ws2_32.dll
ws2_32.dll
oleaut32.dll
oleaut32.dll
gdi32.dll
gdi32.dll
advapi32.dll
advapi32.dll
uxtheme.dll
uxtheme.dll
ole32.dll
ole32.dll
shell32.dll
shell32.dll
comctl32.dll
comctl32.dll
shlwapi.dll
shlwapi.dll
version.dll
version.dll
msimg32.dll
msimg32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
microsoft.com
microsoft.com
Software\Microsoft\Windows
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
IEXPLORE.EXE
IEXPLORE.EXE
FIREFOX.EXE
FIREFOX.EXE
%System%\ctfmon.exe
%System%\ctfmon.exe
ctfmon.exe
ctfmon.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
%s\shell\%s\command
%s\shell\%s\command
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.0
HTTP/1.0
HTTP/1.
HTTP/1.
PSSh@
PSSh@
PSShY.]
PSShY.]
PSShK
PSShK
PSShE
PSShE
SSSSSSh
SSSSSSh
SSSSh
SSSSh
`.rda
`.rda
cmd.9exz>/C
cmd.9exz>/C
URLDA
URLDA
P.ah!
P.ah!
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
%sx.tmp
%sx.tmp
%s%sx
%s%sx
cmd.exe /C del /Q /F "%s"
cmd.exe /C del /Q /F "%s"
%s%u%u.tmp
%s%u%u.tmp
xx
xx
msvcrt.dll
msvcrt.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
WS2_32.dll
WS2_32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationUI\6d2716a55eb8ce6fc4cbf83f3ab329e3\
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationUI\6d2716a55eb8ce6fc4cbf83f3ab329e3\
31-1003\
31-1003\
h1 { color: #4465A2; font-size: 1.1em; font-weight: normal; vertical-align:bottom; margin-top: 7px; margin-bottom: 4px; }h2 { font-size: 0.9em; font-weight: normal; margin-top: 20px; margin-bottom: 1px; }h3 { font-size: 0.9em; font-weight: normal; margin-top: 10px; margin-bottom: 1px; }h4 { font-size: 0.9em; font-weight: normal; margin-top: 12px; margin-bottom: 1px; }.b { vertical-align: middle; margin-top: %MF%px; margin-right: 6px; }ul, ol { font-size: 0.9em; list-style-position: outside; margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: 1px; line-height: 1.3em; }
Windows recommend Activate %1
Windows recommend Activate %1
Trojan-BNK.Win32.Keylogger.gen
Trojan-BNK.Win32.Keylogger.gen
passwords.
passwords.
Please write it for future using and support requests.
Please write it for future using and support requests.
Your LICENSE KEY:
Your LICENSE KEY:
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C .
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C .
Trojan-PSW.Win32.Coced.219
Trojan-PSW.Win32.Coced.219
This worm is written in Visual C and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
This worm is written in Visual C and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
Email-Worm.Win32.Eyeveg.f
Email-Worm.Win32.Eyeveg.f
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
Trojan-PSW.Win32.Antigen.a
Trojan-PSW.Win32.Antigen.a
Net-Worm.Linux.Adm
Net-Worm.Linux.Adm
Virus.BAT.Batalia1.840
Virus.BAT.Batalia1.840
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot.gen
Backdoor.Rbot.gen
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
Trojan-SMS.SymbOS.Viver.a
Trojan-SMS.SymbOS.Viver.a
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
Trojan-Downloader.BAT.Ftp.ab
Trojan-Downloader.BAT.Ftp.ab
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
Trojan-Proxy.Win32.Agent.q
Trojan-Proxy.Win32.Agent.q
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
Trojan-Clicker.Win32.Stixo.d
Trojan-Clicker.Win32.Stixo.d
Trojan-SMS.J2ME.RedBrowser.a
Trojan-SMS.J2ME.RedBrowser.a
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
Backdoor.Perl.AEI.16
Backdoor.Perl.AEI.16
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
Macro.PPoint.ShapeShift
Macro.PPoint.ShapeShift
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
Virus.Boot-DOS.V.1536
Virus.Boot-DOS.V.1536
Email-Worm.VBS.Peach
Email-Worm.VBS.Peach
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
Trojan-Proxy.Win32.Agent.x
Trojan-Proxy.Win32.Agent.x
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
Trojan-Spy.HTML.Bankfraud.pa
Trojan-Spy.HTML.Bankfraud.pa
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Exploit.CodeBaseExec
Exploit.CodeBaseExec
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
DoS.Win32.DieWar
DoS.Win32.DieWar
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
Trojan-Spy.HTML.Bankfraud.jk
Trojan-Spy.HTML.Bankfraud.jk
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
Trojan-Clicker.Win32.Small.kj
Trojan-Clicker.Win32.Small.kj
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
Virus.BAT.8Fish
Virus.BAT.8Fish
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
Macro.Visio.Radiant
Macro.Visio.Radiant
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
Virus.Boot-DOS.V.1526
Virus.Boot-DOS.V.1526
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
P2P-Worm.Win32.Franvir
P2P-Worm.Win32.Franvir
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
P2P-Worm.Win32.Duload.a
P2P-Worm.Win32.Duload.a
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Septic
IRC-Worm.DOS.Septic
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
BWME.Twelve.1378
BWME.Twelve.1378
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
IM-Worm.Win32.Kelvir.k
IM-Worm.Win32.Kelvir.k
Email-Worm.JS.Gigger
Email-Worm.JS.Gigger
Get a copy of '