About Malware,Virus

8/8/2019 About Malware,Virus

1/123

Three Criteria for Malware Existence

No operating system or application is vulnerable to malicious programs unless externalprograms, no matter how simple, can be launched. If an external program, even the

simplest, can be launched within an operating system or application, then it will bevulnerable to malicious programs. Most contemporary operating systems and applicationsneed to work with other programs, so they do end up being vulnerable. Potentiallyvulnerable OS and applications include:

All popular desktop operating systems Most office applications Most graphical editors Project applications Any applications with in-built script language

Computer viruses, worms, Trojans have been written for countless operating systems andapplications. On the other hand, there are still numerous OSs and applications that arefree from malware so far. Why is this so? What makes one OS more attractive to viruswriters than others?

Malware appears in any given environment when the following criteria are met:

The operating system is widely used Reasonably high-quality documentation is available The targeted system is insecure or has a number of documented vulnerabilities

All three criteria are key factors and all three need to be met before the given system willbe targeted by virus writers.

In the first place, in order for hackers and cyber vandals to even consider any system, thetarget needs to be popular enough for them to access it. Once an OS or application iswidely available and marketed successfully, it turns into a viable target for virus writers.

A quick look at the number of malicious programs written for Windows and Linux showsthat the volume of malware is roughly proportional to the respective market share ofthese two operating systems.

Detailed documentation is necessary for both legal developers and hackers, sincedocumentation includes descriptions of available services and rules for writingcompatible programs.

For instance, most mobile phone vendors do not share this information, leaving both legalvendors and hackers helpless. On the other hand, some vendors of smart phones dopublish their documentation. The first viruses for Symbian (Worm.SymbOS.Cabir.a) and


2/123

Windows CE (WinCE.Duts.a) appeared shortly after the documentation was published inmid-2004.

The architecture of a well-built (constructed designed) OS or applications needs to takesecurity into account. A secure solution does not allow new or unsanctioned programs

extensive access to files or potentially dangerous services. This leads to difficulties, as afully secure system, will block not only malware, but 'friendly' programs as well. As aresult, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achievingsecure conditions. As a matter of fact, there have been no viruses or Trojans which pose aserious threat written in Java for a long time, though non-viable proof of conceptmalware does occasionally appear. Malware written in Java appeared only whenvulnerabilities in Java Virtual Machine security were discovered and publicized.

Malicious Programs Descriptions

Malicious programs can be divided into the following groups: worms, viruses, Trojans,hacker utilities and other malware. All of these are designed to damage the infectedmachine or other networked machines.

Network Worms

This category includes programs that propagate via LANs or the Internet with thefollowing objectives:

Penetrating remote machines Launching copies on victim machines Spreading further to new machines

Worms use different networking systems to propagate: email, instant messaging, file-

sharing (P2P), IRC channels, LANs, WANs and so forth.

Most existing worms spread as files in one form or another - email attachments, in ICQor IRC messages, links to files stored on infected websites or FTP servers, files accessiblevia P2P networks and so on.


3/123

There are a small number of so-called fileless or packet worms; these spread as networkpackets and directly penetrate the RAM of the victim machine, where the code is thenexecuted.

Worms use a variety of methods for penetrating victim machines and subsequently

executing code, including:

Social engineering; emails that encourage recipients to open the attachment Poorly configured networks; networks that leave local machines open to access

from outside the network Vulnerabilities in operating systems and applications

Today's malware is often a composite creation: worms now often include Trojanfunctions or are able to infect exe files on the victim machine. They are no longer pureworms, but blended threats.

Classic Viruses

This class of malicious programs covers programs that spread copies of themselvesthroughout a single machine in order to:

Launch and/or execute this code once a user fulfills a designated action Penetrate other resources within the victim machine

Unlike worms, viruses do not use network resources to penetrate other machines. Copiesof viruses can penetrate other machines only if an infected object is accessed and thecode is launched by a user on an uninfected machine. This can happen in the following

ways:

The virus infects files on a network resource that other users can access The virus infects removable storage media which are then attached to a clean

machine The user attaches an infected file to an email and sends it to a 'healthy' recipient

Viruses are sometimes carried by worms as additional payloads or they can themselvesinclude backdoor or Trojan functionality which destroy data on an infected machine.

Trojan Programs

This class of malware includes a wide variety of programs that perform actions withoutthe user's knowledge or consent: collecting data and sending it to a cyber criminal,destroying or altering data with malicious intent, causing the computer to malfunction, orusing a machine's capabilities for malicious or criminal purposes, such as sending spam.


4/123

A subset of Trojans damage remote machines or networks without compromisinginfected machines; these are Trojans that utilize victim machines to participate in a DoSattack on a designated web site.

Hacker Utilities and other malicious programs

This diverse class includes:

Utilities such as constructors that can be used to create viruses, worms andTrojans

Program libraries specially developed to be used in creating malware Hacker utilities that encrypt infected files to hide them from antivirus software Jokes that interfere with normal computer function Programs that deliberately misinform users about their actions in the system Other programs that are designed to directly or indirectly damage local or

networked machines

Network Worms

Today everyone has heard of computer worms.

Worms can be classified according to the propagation nethod they use, i.e. how theydeliver copies of themselves to new victim machines. Worms can also be classified byinstallation method, launch method and finally according to characteristics standard to all

malware: polymorphism, stealth etc.

Many of the worms which managed to cause significant outbreaks use more then onepropagation method as well as more than one infection technique. The methods are listedseparately below.

Email Worms Instant Messaging Worms Internet Worms IRC Worms File-sharing Networks Worms

Email worms

Email worms spread via infected email messages. The worm may be in the form of anattachment or the email may contain a link to an infected website. However, in both casesemail is the vehicle.


5/123

In the first case the worm will be activated when the user clicks on the attachment.In thesecond case the worm will be activated when the user clicks on the link leading to theinfected site.

Email worms normally use one of the following methods to spread:

Direct connection to SMTP servers using a SMTP API library coded into theworm

MS Outlook services Windows MAPI functions

Email worms harvest email addresses from victim machines in order to spread further.Worms use one or more of the following techniques:

Scanning the local MS Outlook address book Scanning the WAB address database

Scanning files with appropriate extensions for email address-like text strings Sending copies of itself to all mail in the user's mailbox (worms may even

'answer' unopened items in the inbox)

While these techniques are the most common, some worms even construct new senderaddresses based lists of possible names combined with common domain names.

Instant Messaging (ICQ and MSN) Worms

These worms have a single propagation method. They spread using instant messagingapplications by sending links to infected websites to everyone on the local contact list.

The only difference between these worms and email worms which send links is the mediachosen to send the links.

Internet Worms

Virus writers use other techniques to distribute computer worms, including:

Copying the worm to networked resources Exploiting operating system vulnerabilities to penetrate computers and/or

networks Penetrating public networks Piggy-backing: using other malware to act as a carrier for the worm.

In the first case, the worms locate remote machines and copy themselves into folderswhich are open for read and write functions. These network worms scan all availablenetwork resources using local operating system services and/or scan the Internet forvulnerable machines. They will then attempt to connect to these machines and gain fullaccess to them.


6/123

In the second case, the worms scan the Internet for machines that have not been patched,i.e. have operating systems with critical vulnerabilities still open to exploitation. Theworm sends data packets or requests which install either the entire body of the worm or asection of the worm's source code containing downloader functionality. If this code issuccessfully installed the main worm body is then downloaded. In either case, once the

worm is installed it will execute its code and the cycle continues.

Worms that use Web and FTP servers fall into a separate category. Infection is a two-stage process. These worms first penetrate service files on the file server, such as staticweb pages. Then the worms wait for clients to access the infected files and attackindividual machines. These victim machines are then used as launch pads for furtherattacks.

Some virus writers use worms or Trojans to spread new worms. These writers firstidentify Trojans or worms that have successfully installed backdoors on victim machines.In most cases this functionality allows the master to send commands to the victim

machine: such zombies which have backdoors installed can be commanded to downloadand execute files - in this case copies of the new worm.

Many worms use two or more propagation methods in combination, in order to moreefficiently penetrate potential victim machines.

IRC Worms

These worms target chat channels, although to day IRC worms have been detected. IRCworms also use the propagation methods listed above - sending links to infected websitesor infected files to contacts harvested from the infected user. Sending infected files is less

effective as the recipient needs to confirm receipt, save the file and open it before theworm is able to penetrate the victim machine.

File-sharing Networks or P2P Worms

P2P worms copy themselves into a shared folder, usually located on the local machine.Once the worm has successfully placed a copy of itself under a harmless name in a sharedfolder, the P2P network takes over: the network informs other users about the newresource and provides the infrastructure to download and execute the infected file.

More complex P2P worms imitate the network protocol of specific file-sharing networks:

they respond affirmatively to all requests and offer infected files containing the wormbody to all comers.

1. IM-Worm.Win32.Bropia.adThis worm is written in Visual Basic and normally has two components:the IM-Worm itself, and a variant of Backdoor.Win32.Rbot which isembedded in the file. The backdoor is usually packed with UPX andMorphine. It will be detected as Backdoor.Win32.Rbot.gen. The worm is


7/123

188,416 bytes in size. The...2. IM-Worm.Win32.Bropia.ajThis worm spreads via the Internet using MSN Messenger. It is written inVisual Basic and is approximately 200 KB in size. The worm contains abackdoor program, Backdoor.Win32.Rbot.hg which it will extract from

itself and launch on the victim machine. Installation Once launched, theworm copies...3. IM-Worm.Win32.FunnerThis worm spreads via the Internet using MSN Messenger to propagate. Itis written in Visual Basic. It is approximately 56KB in size, and packedusing ASP. The unpacked file is approximately 306KB in size. InstallationOnce launched, the worm copies itself to the Windows system directoryunder the...4. IM-Worm.Win32.JituxJitux is an Internet worm that spreads via the MSN Messenger system. It iswritten in Visual Basic and its' size is about 24KB. The worm sends

messages with the URL of the downloadable version of the worm. Oncethe worm is launched, it scans the victim MSN Messenger contact list andsends all...5. IM-Worm.Win32.Kelvir.eThis worm spreads via Windows Messenger. It is written in Visual Basic.The worm file is 24064 bytes in size. The worm contains the followingtext strings: OMGOOSES KELVIR 1000 KelVir-FiNAL Once launched,the worm sends a message to all contacts in the MSN Messenger contactlist: "omg u have to...6. IM-Worm.Win32.Kelvir.kThis worm spreads via Windows Messenger. It is written in Visual Basic,and packed using UPX. The packed file is 8704 bytes in size, and theunpacked file is 24064 bytes in size. Once launched, the worm sends amessenger to all MSN Messenger contacts: "its you" The message isaccompanied by the...7. IM-Worm.Win32.Opanki.dThis worm is written in C, and is packed using MEW and PE_Patch. Itspreads as a link across the AIM network and has Trojan-Dowloadercapabilities. The packed body is 3 973 bytes in size. MD5:4d0a71e9e37a73bd27932e13d03b7ec0 Installation This worm arrives as alink via the AOL Instant Messaging...8. IM-Worm.Win32.Sumom.aThis worm spreads via MSN by means of file transfer. The worm file ispacked using several packing programs, and is approximately 17KB whenpacked. The unpacked file is approximately 155KB in size. InstallationThe worm copies itself to the Windows directory under one of thefollowing names:...9. IM-Worm.Win32.VB.aThis worm spreads via the Internet using MSN Messenger. It is written inVisual Basic and is approximately 160KB in size. The worm contains a


8/123

backdoor program, Backdoor.Win32.Rbot.fy which it will extract fromitself and launch on the victim machine. Installation Once launched, theworm copies...

Classic VirusesComputer viruses can be classified according to their environment and infection methods.The environment is the application or operating system required by any given virus toinfect files within these systems. Infection methods are the techniques used to inject thevirus code into an object.

Environment

Most viruses can be found in one of the following environments:

File systems Boot sectors Macro environments Script hosts

File viruses use the file system of a given operating system (or more than one) topropagate. File viruses can be divided into the following categories:

Those that infect executable files (the largest group of file viruses) Those that create duplicates of files (companion viruses) Those that create copies of themselves in various directories Those that utilize file systems features (link viruses)

Boot sector viruses write themselves either to the boot sector or to the master boot recordor displace the active boot-sector. These viruses were widespread in the 1990s, but havealmost disappeared since the introduction of 32-bit processors as standard and the declineof the floppy disks. It would be technically possible to write boot sector viruses for CDsand USB flash ROMs, but no such viruses have yet been detected.

Many word processing, accounting, editing and project applications have built-in macroscripts which automate frequently used sequences. These macro languages are oftencomplex and include a wide range of commands. Macro viruses are written in macro

languages and infect applications with built-in macros. Macro viruses propagate byexploiting macro language properties in order to transfer from an infected file to anotherfile.

Infection Methods

The groups of viruses listed above can be sub-divided according to the technique a virususes to infect objects.


9/123

File Viruses

File viruses use the following infection methods:

Overwriting Parasitic Companion Links Object modules (OBJ) Compiling libraries (LIB) Application source code

Overwriting

This is the simplest infection method: the virus replaces the code of the infected file withits own, erasing the original code. The file is rendered useless and cannot be restored.

These viruses are easily detected because the operating system and affected applicationswill cease to function shortly after infection.

Parasitic

Parasitic viruses modify the code of the infected file. The infected file remains partiallyor fully functional.

Parasitic viruses are grouped according to the section of the file they write their code to:

Prepending: the malicious code is written to the beginning of the file Appending: the malicious code is written to the end of the file Inserting: the malicious code is inserted in the middle of the file

Inserting file viruses use a variety of methods to write code to the middle of a file: theyeither move parts of the original file to the end or copy their own code to empty sectionsof the target file. These are sometimes called cavity viruses.

Prepending viruses

Prepending viruses write their code to target files in two ways. In the first scenario, thevirus moves the code from the beginning of the target file to the end and writes its own

code to this space. In the second scenario the virus adds the code of the target file to itsown code.

In both cases, every time the infected file is launched, the virus code is executed first. Inorder to maintain application integrity, the virus may clean the infected file, re-launch it,wait for the file to execute, and once this process is over, the virus will copy itself againto the beginning of the file. Some viruses use temp files to store clean versions of


10/123

infected files. Some viruses will restore the application code in memory, and resetnecessary addresses in the body, thus duplicating the work of the operating system.

Appending viruses

Most viruses fall into this category. Appending viruses write themselves to the end of theinfected files. However, these viruses usually modify the files (change the entry point inthe file header) to ensure that the commands contained in the virus code are executedbefore infected object commands.

Inserting viruses

Virus writers use a variety of methods to inject viruses into the middle of a file. Thesimplest methods are moving part of the file code to the end of the file or pushing theoriginal code aside to create a space for the virus.

Inserting viruses include so-called cavity viruses; these write their code to sections offiles that are known to be empty.. For instance, cavity viruses can copy themselves to theunused part of exe file headers, to the gaps between exe file sections, or to text areas ofpopular compilers. Some cavity viruses will only infect files where a certain blockcontains a certain byte; the chosen block will be overwritten with the virus code.

Finally, some inserting viruses are badly written and simply overwrite sections of codewhich are essential for the infected file to function. This causes the file to be irrevocablycorrupted.

Entry point obscuring viruses - EPOs

There is a small group of parasitic viruses which includes both appending and insertingviruses which do not modify the entry point address in the headers of exe files. EPOviruses write the routine pointing to the virus body to the middle of the infected file. Thevirus code is then executed only if the routine containing the virus executable is called. Ifthis routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormantfor a long time.

Virus writers need to choose the entry point carefully: a badly chosen entry point caneither corrupt the host file or cause the virus to remain dormant long enough for theinfected file to be deleted.

Virus writers use different methods to find useful entry points:

Searching for frames and overwriting them with infected starting points Disassembling the host file code Or changing the addresses of importing functions


11/123

Companion viruses

Companion viruses do not modify the host file. Instead they create a duplicate filecontaining the virus. When the infected file is launched the copy containing the virus willbe executed first.

This category includes viruses that re-name the host file, record the new name for futurereference and then overwrite the original file. For instance, a virus might renamenotepad.exe as notepad.exd and write its own code to the file under the original name.Each time the user of the victim machine launches notepad.exe, the virus code will beexecuted, with the original Notepad file, notepad.exd, being run afterwards.

There are other types of companion viruses which use original infection techniques orexploit vulnerabilities in specific operating systems. For instance, Path-companionviruses place their copies in the Windows system directory, exploiting the fact that thisdirectory is first in the PATH list; the system will start from this directory when

launching Windows. Many contemporary worms and Trojans use such autoruntechniques.

Other infection techniques

Some viruses do not use executable files to infect a computer, but simply copythemselves to a range of folders in the hope that sooner or later they will be launched bythe user. Some virus writers give their viruses such as install.exe or winstart.bat in orderto persuade the user to launch the file containing the virus.

Other viruses copy themselves to compressed files in formats such as ARJ, ZIP and RAR,

while still others write the command to launch an infected file to a BAT-file.

Link viruses also do not modify host files. However, they force the operating system toexecute the virus code by modifying the appropriate fields in the file system.

Boot Sector Viruses

The boot viruses which are currently known about infect the boot sectors of floppy disksand the boot sector or Master Boot Record (MBR) of the hard disk. Boot viruses act onthe basis of the algorithm used to launch the operating system when the computer isswitched on or rebooted. Once the necessary checks of memory, disks etc. have been

carried out, the system boot program reads/ fetches the first physical sector of the bootdisk (A:, C: or the CD-ROM, depending on the parameters configured/ installed in BIOSSetup, and passes control to this sector.

When infecting disks, a boot virus will substitute its code for that of a program whichgains control when the system launches. In order to infect the system, the virus will forcethe system to read the memory and hand over control not to the original boot program,but the virus code.


12/123

Floppy disks can only be infected in one way. The virus writes its code in the place of theoriginal code of the boot sector of the disk. Hard disks can be infected in three ways: thevirus either writes its code in place of the MBR code; the boot sector code of the bootdisk, or modifies the address of the active books sector in the Disk Partition Table in thehard disk MBR.

In the vast majority of cases, when infecting a disk the virus will move the original bootsector (or MBR) to another sector of the disk, often the first empty one. If the virus islonger than the sector, then the infected sector will contain the first part of the virus code,and the remainder of the code will be placed in other sectors, usually the first free ones.

Macro Viruses

The most widespread macro viruses are for Microsoft Office applications (Word, Exceland PowerPoint) which save information on OLE2 (Object Linking and Embedding)format. Viruses for other applications are relatively rare.

The actual location of a virus with an MS Office file depends on the file format, which inthe case of Microsoft products is extremely complex. Every WORD document, Office 97or Excel table is composed of a sequence of data blocks (each of which has its ownformat) which are joined/ linked/ united by service data. Due to the complex format ofWord, Excel and Office 97 files, it is easiest to use a diagram to show the location of amacro virus in such a file:

Uninfected document or table

fileInfected document or table

file

File header

Service data (directories, FAT)

Text

Fonts

Macros (if any)

Other data

File header

Service data (directories,FAT)

Text

Fonts

Macros (if any)

Virus macros

Other data

When working with documents and tables, MS Office carries out a number of differentactions: the application opens the document, saves it, prints it, closes it etc. MS Wordwill search for and execute/ launch the appropriate built-in macros. For example, usingthe File/Save command will call the FileSave macro, the File/SaveAs command will callthe FileSaveAs macro, and so on, always assuming that such macros are defined/configured.


13/123

There are also auto macros, which will be automatically called in a range of situations.For instance, when a document is opened, MS Word will check the document for thepresence for the AutoOpen macro. If the macro is found, Word will execute it. When adocument is closed, Word will execute the AutoClose macro, when Word is launched, theapplication will execute the AutoExec macro etc. These macros are executed

automatically, without any action from the user, as are macros/ functions which areassociated either with a particular key, or with a specific time or date.

As a rule, macro viruses which infect MS Office files will use one of the techniquesdescribed above. The virus will either contain an auto macro (automatic function) or oneof the standard system macros (associated with a menu item) will be redefined, or thevirus macro will be automatically called by a certain key stroke or key combination.Once the macro virus has gained control, it will transfer its code to other files, usuallyones which are currently being edited. More rarely, the viruses will search disks for otherfiles.

Script Viruses

Script viruses are a subset of file viruses, written in a variety of script languages (VBS,JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linuxcommand and service files, or form a part of multi-component viruses. Script viruses areable to infect other file formats, such as HTML, if the file format allows the execution ofscripts.

Executable File and Boot Viruses

1. BWME.GSD.1145It is a harmless memory resident virus. It hooks INT 21h and infects EXE files thatare executed or opened. It was created with Biological Warfare Mutation Engine - itis a polymorphic engine, like the MtE and TPE engines. This virus writes itself tothe end of the files. It contains the text...

2. BWME.Gangi.1130It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itselfto the end of EXE files that are executed. The virus has a bug and can halt the

system. It was created with Biological Warfare Mutation Engine - it is apolymorphic engine, like the MtE and TPE engines. This virus...

3. BWME.Test.1287It is a harmless memory resident virus. It hooks INT 21h and infects COM and EXEfiles that are executed or opened. It was created with Biological Warfare Mutation


14/123

Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writesitself to the end of the files. It contains the...

4. BWME.Twelve.1378

It is a harmless nonmemory resident parasitic virus. It searches for COM and EXEfiles and infects them. It was created with Biological Warfare Mutation Engine - it isa polymorphic engine, like the MtE and TPE engines. This virus writes itself to theend of the files. It contains the text strings:...

5. Devices.2000It is a harmless memory resident parasitic polymorphic virus. It writes itself tobeginning of SYS and to the end of EXE files. While executing an infected EXE filethe virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers,infects them and returns to the host program. While...

6. EICAR-Test-FileEICAR is a short 68-byte COM file that is detected by anti-virus programs as avirus, but is actually NOT "VIRAL" at all. When executed it just displays a messageand returns control to the host program. Why is this harmless file detected as avirus? The file was created in order to demonstrate to...

7. Happy_II.506

It is a harmless nonmemory resident parasitic virus. It searches for COM files(except COMMAND.COM), then writes itself to the end of the file. The virus doesnot manifests itself in any way, it contains the text strings: *.com COMMAND.HAPPY v1.03 (C) PROFESSOR,KPI

8. Joke.1068This is not a dangerous nonmemory resident parasitic virus. It searches for .COMfiles (except COMMAND.COM) of current directory and writes itself to the end ofthe file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer isinfected by the Big Joke Virus. Release 4/4-91 Lucky...

9. Kot.bThis is a dangerous memory resident boot virus. It hooks INT 13h, and writes itselfto the BOOT sectors of floppy disks and to the MBR sector of the hard drive. On the15th day of each month, the virus stops booting in a computer. The virus contains


15/123

the text string: Kot

10. Lemena.3544It is not a dangerous memory resident parasitic polymorphic virus. It copies itself to

the video memory at address BC00:0000, hooks INT 22h (Terminate call), returnscontrol to host program, waits for termination and hooks INT 21h. To hook INT 21hthe virus patches the DOS kernel. The virus then...

1 | 2 | 3 | 4 | 5 | Next Page >> | Last Page

Macro Viruses

1. Macro.AmiPro.GreenThis virus contains four macros (functions): Green_Stripe_Virus, Infect_File,SaveFile, SaveAsFile. They receive the control when an infected document isopened, then the virus searches for *.SAM files of the current directory and infectsthem. While infecting a SAM file the virus creates an SMM...

2. Macro.Excel.Robocop

This is an Excel macro virus. It contains two modules COP and ROBO. ModuleROBO contains the auto-routine Auto_Open that is executed on opening an infectedfile. That macro infects the PERSONAL.XLS file and assigns virus code as beingexecuted on activating a sheet (SheetActivate handler). As...

3. Macro.Excel97.LarouxThis is a virus converted to MS Excel 97 from their MS Excel prototypes and as aresult it has the same set of macros, functions, features and effects. See thedescription of its Excel prototype.

4. Macro.PPoint.AttachThis is the first known macro virus infecting MS PowerPoint presentation files. Aswell as other viruses infecting MS Office applications this is written in Visual Basicfor Applications (VBA) language, and for spreading it uses Basic instructions andMS PowerPoint features. The virus contains...


16/123

5. Macro.PPoint.KellyThis macro virus infects the MS PowerPoint presentations. The virus contains onemacro "Jd" in the "Kelly" module. The virus code is activated on the MouseOverevents on the infected form, it then runs its main routine and infects all form in

opened presentations. While...

6. Macro.PPoint.ShapeMasterThis macro virus infects the MS PowerPoint presentations. The virus contains onemacro "actionhook" in the "ShapeMaster" module. The virus is activated on theMouseClick on the infected form, it then runs its installation routine and infects thePowerPoint installed on the...

7. Macro.PPoint.ShapeShiftThis is the second known macro virus infecting MS PowerPoint presentations. Itcontains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape,RandomWackSlide, WackPresentation. To activate its code on a event the virushooks MouseClick that pass control to the virus...

8. Macro.Visio.RadiantThis is the first known macro-virus infecting Visio documents, stencils andtemplates (Visio is the system to create, edit and store business drawing anddiagrams - see http://www.visio.com). To automate data processing, Visio uses

macro-programs written in VBA language (Visual Basic for...

9. Macro.Visio.UnstableThis is the second macro-virus that also has pretensions to be The Number One inthe "Macro.Visio" family. This virus is more complex than Macro.Visio.Radiant - ituses encryption and special tricks to hide its body in infected files. The virus infectsVisio documents, and stencils and templates...

10. Macro.Word.Alex.aThis is an encrypted Chinese Word macro virus. It contains from three to fivemacros depending on the virus version: autonew, autoopen, autoclose, toolsmacro. Italso contains empty macro: ALEX The virus replicates itself when documents arecreated (autonew), opened (autoopen) or closed...



17/123

Script Viruses

Script viruses are a subset of file viruses, written in a variety of script languages (VBS,JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linuxcommand and service files, or form a part of multi-component viruses. Script viruses areable to infect other file formats, such as HTML, if the file format allows the execution ofscripts.

Batch Files Viruses Windows Help Files Viruses JavaScript Viruses Inf Files Viruses

PHP Hypertext Preprocessor Viruses Windows Script Viruses

Trojan Programs

Trojans can be classified according to the actions which they carry out on victimmachines.

Backdoors General Trojans

PSW Trojans Trojan Clickers Trojan Downloaders Trojan Droppers Trojan Proxies Trojan Spies Trojan Notifiers ArcBombs

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. TheseTrojans are remote administration utilities that open infected machines to external controlvia a LAN or the Internet. They function in the same way as legal remote administrationprograms used by system administrators. This makes them difficult to detect.

The only difference between a legal administration tool and a backdoor is that backdoorsare installed and launched without the knowledge or consent of the user of the victim


18/123

machine. Once the backdoor is launched, it monitors the local system without the user'sknowledge; often the backdoor will not be visible in the log of active programs.

Once a remote administration utilitiy has been successfully installed and launched, thevictim machine is wide open. Backdoor functions can include:

Sending/ receiving files Launching/ deleting files Executing files Displaying notification Deleting data Rebooting the machine

In other words, backdoors are used by virus writers to detect and download confidentialinformation, execute malicious code, destroy data, include the machine in bot networksand so forth. In short, backdoors combine the functionality of most other types of Trojans

in one package.

Backdoors have one especially dangerous sub-class: variants that can propagate likeworms. The only difference is that worms are programmed to propagate constantly,whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans

This loose category includes a variety of Trojans that damage victim machines orthreaten data integrity, or impair the functioning of the victim machine.

Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans

This family of Trojans steals passwords, normally system passwrods from victimmachines. They search for system files which contain confidential information such aspasswords and Internet access telephone numbers and then send this information to anemail address coded into the body of the Trojan. It will then be retrieved by the 'master'or user of the illegal program.

Some PSW Trojans steal other types of information such as:

System details (memory, disk space, operating system details) Local email client IP-address Registration details Passwords for on-line games


19/123

Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They arecontained in a sub-groups because they are so numerous.

Trojan Clickers

This family of Trojans redirects victim machines to specified websites or other Internetresources. Clickers either send the necessary commands to the browser or replace systemfiles where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

Clickers are used:

To raise the hit-count of a specific site for advertising purposes To organize a DoS attack on a specified server or site To lead the victim to an infected resource where the machine will be attacked by

other malware (viruses or Trojans)

Trojan Downloaders

This family of Trojans downloads and installs new malware or adware on the victimmachine. The downloader then either launches the new malware or registers it to enableautorun according to the local operating system requirements. All of this is done withoutthe knowledge or consent of the user.

The names and locations of malware to be downloaded are either coded into the Trojan ordownloaded from a specified website or other Internet location.

Trojan Droppers

These Trojans are used to install other malware on victim machines without theknowledge of the user. Droppers install their payload either without displaying anynotification, or displaying a false message about an error in an archived file or in theoperating system. The new malware is dropped to a specified location on a local disk andthen launched.

Droppers are normally structured in the following way:

Main filecontains the dropper payload

File 1first payload

File 2second payload

...as many files as the coder chooses to include


20/123

The dropper functionality contains code to install and execute all of the payload files.

In most cases, the payload contains other Trojans and at least one hoax: jokes, games,graphics and so forth. The hoax is meant to distract the user or to prove that the activitycaused by the dropper is harmless, whereas it actually serves to mask the installation of

the dangerous payload.

Hackers using such programs achieve two objectives:

1. Hidden or masked installation of other Trojans or viruses2. Tricking antivirus solutions which are unable to analyse all components

Trojan Proxies

These Trojans function as a proxy server and provide anonymous access to the Internetfrom victim machines. Today these Trojans are very popular with spammers who always

need additional machines for mass mailings. Virus coders will often include Trojan-proxies in Trojan packs and sell networks of infected machines to spammers.

Trojan Spies

This family includes a variety of spy programs and key loggers, all of which track andsave user activity on the victim machine and then forward this information to the master.Trojan-spies collect a range of information including:

Keystrokes Screenshots Logs of active applications Other user actions

These Trojans are most often used to steal banking and other financial information tosupport online fraud.

Trojan Notifiers

These Trojans inform the 'master' about an infected machine. Notifiers confirm that amachine has been successfully infected, and send information about IP-address, open portnumbers, the email address etc. of the victim machine. This information may be sent by

email, to the master's website, or by ICQ.

Notifiers are usually included in a Trojan 'pack' and used only to inform the master that aTrojan has been successfully installed on the victim machine.


21/123

ArcBombs

These Trojans are archived files coded to sabotage the de-compressor when it attempts toopen the infected archived file. The victim machine will slow or crash when the Trojanbomb explodes, or the disk will be filled with nonsense data. ArcBombs are especially

dangerous for servers, particularly when incoming data is initially processedautomatically: in such cases, an ArcBomb can crash the server.

There are three types of ArcBombs: incorrect header in the archive, repeating data and aseries of identical files in the archive.

An incorrect archive header or corrupted data can both cause the de-compressor to crashwhen opening and unpacking the infected archive.

A large file containing repeating data can be packed into a very small archive: 5gigabytes will be 200 KB when packed using RAR and 480 KB in ZIP format.

Moreover, special technologies exist to pack an enormous number of identical files in onearchive without significantly affecting the size of the archive itself: for instance, it ispossible to pack 10100 identical files into a 30 KB RAR file or a 230 KB ZIP file.

Backdoors

1. Backdoor.Agobot.genThis is a classical backdoor and allows a 'master' to control the victim machine

remotely by sending commands via IRC channels. Installation Agobot copies itselfinto the Windows directory under random names and then registers itself in thesystem registry auto-run keys:...

2. Backdoor.NetbusThis is a hidden (hacker's) remote administration utility similar to the knownBackdoor.BO (a.k.a. Back Orifice) Trojan. It allows to administrate infectedcomputers from a remote console, to steal files, to damage installed software etc.See Backdoor.BO Trojan.

3. Backdoor.Rbot.genBackdoor.Rbot is a family of Trojan programs for Windows, which offer the userremote access to victim machines. The Trojans are controlled via IRC, and have thefollowing functions: monitor networks for interesting data packets (i.e. thosecontaining passwords to FTP servers, and e-payment...


22/123

4. Backdoor.SdBot.genThis is a family of backdoor malicious programs, which provide the user withremote control over victim machines. This is achieved by sending commands viaIRC channels. Installation Depending upon the program version, the backdoor either

copies itself either to the Windows System directory or to...

5. Backdoor.Throd.aThrod is a Trojan that allows a 'master' to use the zombie machine as a proxy server.Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KBunpacked)and comes packed by UPX. Installation The Trojan copies itself in theWindows system folder under a randomly combined...

6. Backdoor.Win32.BO.aThis Trojan (also known as Back Orifice Trojan) is a network-administration utilitythat allows for the controlling of computers on the network. "'Back Orifice' is aremote administration system, which allows a user to control a computer across atcpip connection using a simple console or gui...

7. Backdoor.Win32.Afcore.qAfcore is a backdoor Trojan program that appears as a Windows application file (.dllfile) with a size of about 110KB. The Trojan has numerous functions that give'evildoers' almost full control of victim computers. Infected message body text

contains the following: If you read this, then this...

8. Backdoor.Win32.Agent.jmThis program has remote administration functionality. It is a Windows PE EXE file,approximately 47KB in size, packed using MEW. The unpacked file isapproximately 303KB in size. Installation Once laucched, the Trojan registers itselfin the system registry:...

9. Backdoor.Win32.Agent.bAgent.b is a classic Trojan backdoor that opens the infected machine to remoteaccess. This backdoor is a Windows PE exe file written in Visual C. Agent.b ispacked with two packers: Morphine and UPX. The packed file size is 38 KB andunpacked - 104 KB. Agent.b is controlled over IRC channels....


23/123

10. Backdoor.Win32.Agobot.aBackdoor.Agobot (also known as PhatBot) is a Trojan program which provides theauthor/ user with remote access to the victim machine. It is managed via IRC. It hasa wide range of functionalities: will not work with a debugger running or under

Vmware it can run both as a standard application and...


General Trojans

1. Trojan-AOL.Win32.Buddy.athis text was written by Alexey Podrezov, Data Fellows Ltd The"Trojan.Aol.Buddy" (also known as "PennyTools Trojan") is an AOL password

stealing Trojan. Two versions are currently known (by May 1999). This Trojan usesa tricky way of installing itself to system. It uses 5 different ways at the same...

2. Trojan-Spy.Win32.WMPatchTrojan.WebMoney.Wmpatch is a trojan program consisting of two executableWin32 PE-files: DBOLE.EXE and SICKBOY.EXE.These files are downloaded bythe trojan program TrojanDownloader.Win32.Small.n. A mass mailing of this trojanprogram was detected on March 5th, 2003. Message text appears as follows:...

3. Trojan.BAT.HallyThis primitive Trojan is written in BAT and is about 983 bytes in size. Whenlaunched, it copies itself to the C:\ root directory as hally.bat. Due to errors, the restof the code is not executed.

4. Trojan.BAT.KeyboardDisable.fKeyboardDisable.f is a primitive BAT-Trojan written in the DOS commandlanguage. When it is launched it blocks the functioning of the keyboard and mouse.The program copies itself under the names: C:/MyDocu`1\Autoexec.bat

C:/Windows\StartM \Programs\Startup\Autoexec.bat It also creates...

5. Trojan.BAT.KillAll.pThis is a primitive and extremely dangerous Trojan program written as a BAT file. Itcontains the compressed files BAT2EXE and COM2EXE. Compressed, the file is


24/123

2363 bytes, and uncompressed - 507 It deletes all files on disks C: - Z:

6. Trojan.BAT.Looper.afThis primitive Trojan is written in BAT and is 1964 bytes in size. When launching,

the Trojan checks for a file names cargo68.dll. If no such file is found, then theTrojan copies itself under this name. It creates a file called altec.bat, which will addthe Trojan to ZIP archives and deletes .doc...

7. Trojan.BAT.MkDirs.zThis primitive Trojan is written in BAT and is 317 bytes in size. When launched, thevirus deletes all the files from the C:\windows\ directory. Creates directories named"1", "2", "3", "4" etc. up to "18" in the current directory. While deleting files itdisplays the following text: You are...

8. Trojan.BAT.NoFPUThis is a primitive Trojan, written in DOS command language (i.e. the Trojan is aBAT file). It disconnects the mathematical coprocessor. As the result the computerstarts to run extremely slowly. Windows 95 may lose functionality due to the actionof the Trojan. The Trojan adds a sector called...

9. Trojan.BAT.SimpsonsThis is a silly BAT Trojan that affects all files on C:, A:, B: and D: drives (exactly in

that sequence). To delete the files, the Trojan uses a "DELTREE /Y" DOScommand. The Trojan then also deletes SIMPSONS.* on the same drives (but thereare no files on drives after DELTREE command). The...

10. Trojan.BAT.VSXThis primitive Trojan is written in BAT and is 1471 bytes in size. It creates adirectory named VSX\Infected in the C:\ root directory. It then moves files with theextensions .BAT, .VBS, .DLL, .SYS, .OCX, and .MOD from the C:\ root directoryto this directory. After moving the files, the virus...


Password-stealing Trojans


25/123

1. Trojan-IM.Win32.Faker.aPrograms in this family steal MSN Messenger passwords with the help of a fakedialogue box, where the MSN password should be entered. This box is identical tothe MSN Messenger dialogue box. The Trojan may give a false notification that the

connection with MSN has been broken and that it will be...

2. Trojan-PSW.Win32.M2.14.aThis family of Trojan horses is capable of stealing various passwords. Trojans havea program "configurer" (configuration component) that allows malefactorscontrolling these viruses to adjust server components as they desire. All trojans workthe same way - after OS re-start they copy...

3. Trojan-PSW.Win32.Antigen.aThis Trojan utility scans the system data files to Internet access passwords, decryptsthem and sends to a specified e-mail address. It also scans the system for moreprivate information: telephone numbers, computer name etc. This utility was namedANTIGEN.EXE, and sent as a fake anti-virus scanner...

4. Trojan-PSW.Win32.CrazyBiletsThis program belongs to the family of passwords stealing trojans. It was spread froma public access Web page on the narod.ru server in the beginning on June 2002. Theweb page contained the following: Intermediate Examinations Test papers for

mathematics and topics for compositions. Still...

5. Trojan-PSW.Win32.GOPtrojanThis program belongs to the family of password stealing Trojans. This Trojan seemsto be written in Chinese and is designed to steal OICQ (a Chinese clone of ICQ?)passwords. When run, the Trojan installs itself to the system. While installing, theTrojan copies itself to Windows, the Windows...

6. Trojan-PSW.Win32.Gip.107This program belongs to the family of password-stealing Trojans. When run, theTrojan installs itself to the system, and while installing, copies itself to Windows,Windows system, Windows temporary, or Windows\RECYCLED directory andregisters itself in the system registry auto-run section. For...


26/123

7. Trojan-PSW.Win32.HookerThis program belongs to the family of password-stealing Trojans. When activated,the Trojan installs itself to the system. While installing, the Trojan copies itself tothe Windows or Windows system directory and registers itself in the system registry

auto-run section. For example: Trojan full...

8. Trojan-PSW.Win32.LdPinch.aThis family of Trojans steals user passwords. When launching, the Trojan writes thefollowing value to the system registry.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]putil = %windir%\%file name% This ensures that the Trojan will be run every timethe system is...

9. Trojan-PSW.Win32.Lmir.genThis family of Trojans steals passwords to the online game Legend of Mir. As arule, programs belonging to this family are written in high-level programminglanguages such as Delphi, Visual C/C++, Visual Basic). File sizes vary, and theprograms utilize a range of methods to install themselves to...

10. Trojan-PSW.Win32.Logmod.aThe Logmod program belongs to the family of password stealing trojans. Logmodsteals the following information: Windows version, Explorer version, phone book

entries, service provider information, RAS data, modem log, e.t.c. When run thetrojan installs itself into the system. While installing...

1 | 2 | Next Page >> | Last Page

Trojan Clickers

1. Trojan-Clicker.Win32.Agent.bmThis is a primitive Win32 Trojan. It is written in C, and packed using UPX. The

packed file is approximately 14KB in size, and the unpacked file is approximately54KB in size. Once launched, the Trojan remains dormant for approximately 7minutes. This is done on purpose, to attempt to hide its...

2. Trojan-Clicker.Win32.LopinThis TrojanClicker is written in Cbuilder. Installation When installed, the Trojan


27/123

copies itself to the Windows system directory as rundll32.exe and registers this file inthe system registry:[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel] PayloadThe Trojan changes the file...

3. Trojan-Clicker.Win32.NetBuie.aNetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held bythe person or persons who created this virus; the purpose rating (value). The virus is aself-extracting ZIP-archive containing two EXE-files. Both files are written in VisualBasic 6.0 and is being distributed...

4. Trojan-Clicker.Win32.NetBuie.bNetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held bythe person or persons who created this virus; the purpose rating (value). The virus is aself-extracting ZIP-archive containing two EXE-files. Both files are written in VisualBasic 6.0 and is being distributed...

5. Trojan-Clicker.Win32.Qhost.aTrojanClicker.Win32.Qhost is a family of Trojan horses that primarily replace or alterthe HOSTS file in which corresponding IP addresses and names of remote computersare held. Usually this leads to an increase in incoming traffic to the sites. Toaccomplish this a rule is used for expanding file...

Trojan Downloaders

1. Trojan-Downloader.JS.MinerThis Trojan downloads other malicious programs to the victim machine. It is writtenin Java Script, and is between 1 - 3KB in size. The program code may be encodedusing Jscript.Encode. Payload The Trojan downloads and launches other Trojans onthe victim machine without the user's knowledge or...

2. Trojan-Downloader.VBS.Psyme.apThis Trojan downloader exploits a vulnerability in Internet Explorer to launch otherTrojan programs on the victim machine. The program is designed as an HTMLpage; when it is viewed, Visual Basic Script malicious code, approximately 3KB in


28/123

size, will be executed. The Trojan then copies itself to...

3. Trojan-Downloader.Win32.Agent.bqThis Trojan program is a Windows PE EXE file, 10 KB or greater in size. The

Trojan is capable of downloading and launching files from the Internet on the victimmachine. It also downloads a program from the AdWare class to the victim machine;this program then directs the Internet browser on the...

4. Trojan-Downloader.Win32.Apher.aApher is malware virus in the wild that spreads as an attachment to spoofed e-mailsusing a legitimate Microsoft address. The email text is disguised as a KasperskyLabs Anit-virus software update. Below is a screen shot of a spoofed e-mail messageinfected with Apher:

5. Trojan-Downloader.Win32.BMPAgent.aAlso known as TrojanDownloader.BMP.Agent.a. This TrojanDownloader explits avulnerability in MS Windows accessible during viewing BMP files. To date Agentonly affects Russian versions of MS Windows 2000. Agent may cause email clientsto close on other versions of Windows or in other...

6. Trojan-Downloader.Win32.CWS.genThis is a generic detection, which detects a family of Trojan programs which will

download other malicious software from the Internet to the victim machine.Programs in this family are usually written in Delphi, and packed using PECompact.The file is often called web.exe, and a packed file will...

7. Trojan-Downloader.Win32.Dler.11.aWhen run, the Trojan installs itself to the system. While installing, the programdownloads Trojans from a remote hacker's site and runs them. Optionally, it caninstall downloaded Trojans in the Windows registry to start automatically. Theinstalled Trojan file name, the target directory and...

8. Trojan-Downloader.Win32.Dyfuca.aThis family of Trojans is designed to download a variety of adware and spyware tovictim machines. It spreads via the Internet as the Internet Optimzer utility; there areseveral modified versions: InternetOptimizer/Iopti: unknown-server errors, page-missing errors, server errors and even...


29/123

9. Trojan-Downloader.Win32.Dyfuca.duThis Trojan program is written in Visual C++ and packed using UPX. The packedfile is 52104 bytes in size. Installation The program copies itself to ProgramFiles\Internet Optimizer. Before installing itself, it will display a license agreement

window. Payload The Trojan will send details of...

10. Trojan-Downloader.Win32.Greetyah.aGreetyah downloads a file from the internet and sets an auto-run key in the systemregistry in order to establish automatic starts. A mass mailing of this trojan programwas detected on March 17th, 2003. Message text appears as follows: Date: Mon, 17Mar 2003 14:57:57 From:...

1 | 2 | 3 | Next Page >> | Last Page

Trojan Droppers

1. Trojan-Dropper.Win32.Agent.edThis is a primitive Win32 Trojan. It is written in C, and packed using PecBundle andPECompact. The packed file is approximately 48KB in size, and the unpacked file isapproximately 114KB in size. It creates a synchronization object named"BaloonMutex". This checks the system for active copies of...

2. Trojan-Dropper.Win32.CheckinCheckin is a "downloader" trojan that downloads a given file from a certain site andruns it. The trojan itself is a Windows PE EXE file, written in MS Visual C++. Thetrojan file sizes are of the following approximate sizes: "Checkin.a": 50Kb"Checkin.b": 45Kb The trojan EXE file does not...

3. Trojan-Dropper.Win32.ExeBundleThis program is an "improved" version of the TrojanDropper.Win32.ExeStealth. Inaddition to "ExeStealth" is is able to carry and drop files with following filename

extensions: COM, BAT, CMD, VBS.

4. Trojan-Dropper.Win32.ExeStealth.20This program is not "trojan programs" itself, but it is designed: to hide other EXEfiles inside itself to install these EXE files to other machines in silent mode I.e. thisprogram was designed to hide, deploy and install not asked EXE files to victim


30/123

machines. So, it is a usual...

5. Trojan-Dropper.Win32.Small.kvThis primitive Trojan is written in Assembler and is packed using FSG. The packed

file is approximately 6KB in size, and the unpacked file is approximately 60KB insize. When launching, it saves a file named eplrr9.dll (which containsTrojan.Win32.StartPage.nu) to the %System% directory. It then...

6. Trojan-Dropper.Win32.Small.ffThis Trojan installs and executes a Trojan downloader program. It is written in VisualC++ and packed using UPX. The size of the packed file is 55296 bytes, and the sizeof the unpacked file is 108544 bytes. When launched, this Trojan creates and thenexecutes a file named hrlypn35.dll in the...

7. TrojanDropper.VBS.ZerolinPrograms which belong to this Trojan family are written in Visual Basic Script. Theyare coded to install a range of viruses on victim machines. Malicious programsinstalled by versions of TrojanDropper.VBS.Zerolin range from primitive keylogging programs to multi-functional backdoors and worms.

Trojan Proxy Servers

1. Trojan-Proxy.Win32.Bobax.aThis Trojan program makes it possible for the infected machine to be used as a proxy server.Bobax uses a vulnerability in Microsoft LSASS to propagate on command. The Trojan iswritten in Microsoft Visual C++, and the body is encrypted. It runs under Windows, and is20480 bytes in...

2. Trojan-Proxy.Win32.Mitglieder.aThis Trojan program enables the attacker to use the infected computer as a mail proxy-server. Itruns under Windows, and is approximately 9KB, compressed using UPX. The decompressedfile is approximately 35KB. Installation When launched, the Trojan copies itself to theWindows system directory...

3. Trojan-Proxy.Win32.Mitglieder.s


31/123

This Trojan program makes it possible to use the victim machine as a mail proxy server. It runsunder Windows, and is approximately 19KB in size. It uses I.Worm.Bagle.l to install itself onthe system. The Trojan is not able to launch itself, but uses the Bagle.l library to do this. Itattempts to...

4. Trojan-Proxy.Win32.Webber.aWebber (aka Heloc) is a Win32 trojan program that installs a hidden proxy server on victimmachines (with up to 100 connections), reports IP addresses and cached passwords of victimmachines to its 'master'. The trojan also downloads (from a URL) and executes other EXE filessuch as its...

5. TrojanProxy.Win32.Webber.hThis Trojan runs under Windows. It creates a hidden proxy server (allowing up to 100connections) and then sends the IP address of the victim machined and cached passwords to itscreator. It also downloads additional .exe files from a web site, and updates itself by executingthese files on the...

1. Trojan-PSW.Win32.Lineage.byThis program is written in Delphi, and not packed at all. It is a DLL file approximately 120KBin size. It is unable to auto-install, and therefore requires a special installation program. Itfunctions as a key logger. It will search the victim machine either for a window titled 'LineageWindows...

2. Trojan-Spy.HTML.Bankfraud.wThis Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is madefor stealing information about clients of Washington Mutual Bank. It is sent as an importantmessage by Washington Mutual Bank: Dear Washington Mutual customer, Due to concerns forthe safety and integrity...

3. Trojan-Spy.HTML.Bankfraud.dqThis Trojan is an email designed as a phishing attack, which steals confidential informationfrom Regions Bank customers. The email appears to be an important communication from thebank. It contains a graphic which shows the message text, and what appears to be a clickablelink. When the user...

4. Trojan-Spy.HTML.Citifraud.aThis is a Trojan program made as a fake HTML page. It is made for stealing information about


32/123

clients of Citybank. Was sent as an important message by Citybank. The clients were told thatthey had to submit their client information: Dear Citibank Account Holder, On January 10th2004 Citibank had to...

5. Trojan-Spy.HTML.Fraud.genThis family of Trojans utilises spoofing technology. The Trojans themselves are contained infake HTML pages. Messages, purportedly from banks, financial institutions, internet stores,software companies etc. are sent to users. These messages contain a link to the fake page; thislink exploits the...

6. Trojan-Spy.HTML.Smitfraud.cThis Trojan program utilizes spoofing technology. The Trojan is represented by a fake HTMLpage. It is used for stealing confidential information about clients of Smith Barney financialcompany (www.smithbarney.com). It is sent by email as an important message from SmithBarney company with the...

7. Trojan-Spy.HTML.Smitfraud.aThis Trojan program utilizes spoofing technology. The Trojan is represented by a fake HTMLpage. It is used for stealing confidential information about clients of Smith Barney financialcompany (www.smithbarney.com). It is sent by email as an important message from SmithBarney company with the...

8. Trojan-Spy.Linux.LogftpThis Trojan is a standard Berkley ftp client compiled on Mandrake Linux 9.1, with a twist: itlogs all hosts, usernames and passwords used to connect to ftp sites to a file named /tmp/.tmp,in the following format: Host: %ftp name% Login: %login% Pass: %password% Differentconnection logins are...

9. Trojan-Spy.Win32.Banker.uThis Trojan spy program is designed to steal confidential financial information. It also has abackdoor function. The Trojan itself is a Windows PE EXE file approximately 10KB in size,packed using UPX. The unpacked file is approximately 75KB in size. When installing itself tothe system, the...

10. Trojan-Spy.Win32.GreenScreen.099This is spy trojan that installs itself to the system, hides itself and then captures screen imagesand saves them to disk files in encrypted form. Thus it allows to a hacker to watch screen


33/123

images. The trojan itself is Windows PE EXE file, compressed by AsPack, written in Delphi.The trojan size...


Other Malware

Other malware includes a range of programs that do not threaten computers directly, butare used to create viruses or Trojans, or used to carry out illegal activities such as DoSattacks and breaking into other computers.

DoS and DDoS Tools Hacker Tools and Exploits Flooders Constructors and VirTools FileCryptors and PolyCryptors PolyEngines Nukers

DoS and DDoS Tools

These programs attack web servers by sending numerous requests to the specified server,often causing it to crash under an excessive volume of requests. If the server is notbacked by additional resources, it will signal the failure to process requests by denyingservice. This is why such attacks are called Denial of Service attacks.

DoS programs conduct such attacks from a single computer with the consent of the user.Distributed Denial of Service (DDoS) attacks use a large number of infected machineswithout the knowledge or consent of their owners. DDoS programs can be downloadedonto victim machines by various methods. They then launch an attack either based on adate included in the code or when the 'owner' issues a command to launch the attack.

Worms can carry a DoS procedure as part of their payload. For instance, on August 20,2001, the CodeRed worm launched a successful attack on the official web site of thePresident of the USA (www.whitehouse.gov). Mydoom.a contained DDoS code directedagainst SCO's corporate site. The company, a Unix developer, closed the site on February1, 2004, shortly after the beginning of the DdoS attack and moved it to a different URL.

Hacker Tools and Exploits

These utilities are designed to penetrate remote computers in order to use them aszombies (by using backdoors) or to download other malicious programs to victimmachines.


34/123

Exploits use vulnerabilities in operating systems and applications to achieve the sameresult.

Flooders

These utilities are used to flood data channels with useless packets and emails.

Constructors and VirTools

Virus writers use constructor utilities to create new malicious programs and Trojans. It isknown that constructors to create macro-viruses and viruses for Windows are inexistence. Constructors can be used to generate virus source code, object modules andinfected files.

Some constructors come with a user interface where the virus type, objects to attack,encryption options, protection against debuggers and dissasemblers, text strings,

multimedia effects etc. can be chosen from a menu. Less complex constructors have nointerface, and read information about the type of virus to be built from the configurationfile.

VirTools are all utilites created to simplify virus writing. They can also be used toanalyze viruses to see how they can be used in hacking attacks.

FileCryptors and PolyCryptors

These are hacker utilities used by virus writers use to encrypt malicious programs toprevent them being detected by antivirus software.

PolyEngines

Polymorphic generators are not viruses in the true sense of the word. They do notpropagate by opening, closing or writing code into files or reading and writing sectors.These programs encrypt the body of the virus and generate a de-encryption routine.

Virus writers usually spread polymorphic generators as archived files. The main file in agenerator archive is the object module which contains the actual generator. This modulealways contains an external function that calls the generator.

Nukers

Hackers use these utilities to crash attacked machines by sending specially coded/phrasedrequests. These requests exploit vulnerabilities in applications and operating systems tocause fatal errors.


35/123

Denial-of-Service Attack Tools

1. DoS.Win32.DieWar

This program is a realized DoS attack on one of the more popular ftp-servers forWindows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-serverresulting in a denial of service. This program also can disturb the operation of otherftp's in a Unix system - wu-ftpd, proftpd,...

Hacker Tools and Exploits

1. Exploit.CodeBaseExecThe suspicious message "Exploit.CodeBaseExec" means that HTML page beingscanned contains code exploiting the Microsoft Internet Explorer Arbitrary ProgramExecution Vulnerability, aka the Local Executable Invocation via Object tagvulnerability. Microsoft Internet Explorer 5.01, 5.5 and 6.0 treat...

2. Exploit.HTML.DialogArgThis file has been detected because it contains an instruction which attempts todownload and install a malicious program on your computer by using a securitybreach in Internet Explorer.

3. Exploit.HTML.MhtThis file has been detected because it contains an instruction which attempts todownload and install a malicious program on your computer by using a securitybreach in Internet Explorer.

4. Exploit.HTML.ObjdataObjData is an exploit often seen in spam mailings. ObjData attempts to use the

Object Type Vulnerability and Two vulnerabilities that could allow an attacker tocause arbitrary code to run on the user's system in MS Windows described in thefollowing Security Bulletins: Microsoft Security...

5. Exploit.IFrame.FileDownloadExploit takes advantage of a security breach in MS Internet Explorer 5.01, 5.5 and


36/123

Outlook. Some Internet worms use this breach to activate themselves from HTML e-mail messages. Examples of such worms are: Aliz, BadtransII, Nimda, and Toil.This vulnerability allows for the opening or previewing...

6. Exploit.IIS.BeavuhBeavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, whichis described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001.The MS01-23 Security Bulletin can be viewed at the following location:...

7. Exploit.JS.ActiveXComponentThis is an MS Internet Explorer and Outlook security breach(com.ms.activeX.ActiveXComponent security vulnerability). The security flawallows remote scripts and HTML pages to access to any ActiveX control installed ona victim's computer. The remote script can gain full contol over a victim's...

8. Exploit.Linux.LacksandThis exploit is written in C, and is approximately 16KB in size. It uses a loopholepresent in NIPrint LPD-LPR Print Server versions 4.10 and lower.

9. Exploit.Linux.SSHD22.aUnder the SSHD22 name KAV detects a couple of tools widely used on the Internetby hackers to compromise systems vulnerable to the security flaw known as the

"SSH CRC-32 compensation attack". Initially reported in October 2001, (for detailsyou may check the CERT advisory 2001-35, at: http:...

10. Exploit.Win32.MS04-028.genKaspersky Lab provides a generic detection for JPEG files that contain an exploitfor the MS04-028 vulnerability (also known as the buffer overrun in JPEGprocessing (GDI+) could allow code execution). JPEG files with affected by thisvulnerability could contain executable code which is executed...


Flooders

1. Email-Flooder.Win32.FriendGreetings


37/123

Advert.FriendGreetings is an electronic post card program that once installed, unlikeother similar programs, sends out emails to all addresses found in a victim computer'sMicrosoft address book. This obnoxious feature has lead some anti-virus companiesto classify this program as a "worm". If a...

2. Flooder.Win32.FuxxThis program permits a flood-adjusted cellular-phone SMS message. In order to sendSMS, the program uses the following gateways: www.free-sms.com sms-link.btn.dewww.nm-info.de www.pcteam.de www.mobidig.net www.lycos.de

Virus Construction Tools

1. Constructor.DOS.G2G2 ('the second Generation in Virus Creation') is a virus creator. It produces viralassembler source of different virus types. The characteristics of the G2-based virusare selected by editing a configuration file. There are several options: infect COM,EXE or both; resident or nonmemory resident;...

2. Constructor.DOS.BWGConstructor creates batch payload programs. It is written in Basic for DOS. Itcreates payload programs of the following types: internet worms mIRC worms pIRC

worms installing to the win.ini installing to the system registry startup key installingto the startup directory deletes antivirus...

3. Constructor.DOS.DregDREG (Digital Hackers' Alliance Randomized Encryption Generator) is a virusconstructor. It creates virus source codes (ASM files), then runs TASM and TLINKto compile these source to executable files. DREG creates nonmemory residentencrypted COM viruses. They search for COM files in the...

4. Constructor.DOS.IVP_10IVP ('INSTANT VIRUS PRODUCTION KIT') is a virus creation kit. It producesviral assembler source of different virus types. The characteristics of the IVP-basedviruses are selected by editing a configuration file. There are several options: infectCOM, EXE or both; encrypted or not; INT 24h hooking...


38/123

5. Constructor.DOS.NRLGNRLG (NuKE Randomic Life Generator) constructor creates encrypted memoryresident COM/EXE DOS viruses. While creating a virus, the user may select theen/decryption code - the virus generates random selected codes and displays them on

the screen.

6. Constructor.DOS.PS-MPCPS-MPC (The Phalcon/Skism Mass-Produced Code Generator) is the second mostknown virus constructor, after VCL. The features of that constructor are described inthe documentation that is distributed in the main PS-MPC package: ThePhalcon/Skism Mass-Produced Code Generator is a tool, which...

7. Constructor.DOS.VCLThe virus constructor utility VCL.EXE (Virus Creation Laboratory) seems to be themost well-known virus creation tool. This constructor can generate source assemblerfiles of the viruses, OBJ modules and infected master files. VCL contains thestandard pop-up menu interface. By using VCL menus, it...

8. Constructor.MSWord.CvckThis is a CVCK-based virus. It contains 11 macros: AutoExec, AutoOpen, Action,Action2, stdClose, HelpAbout, Organizer, ActionDate, ToolsMacro ( + ),FileTemplates, and ToolsCustomize. It infects the global macros area upon the

opening of an infected document, and is written to documents upon...

9. Constructor.MSWord.DW97MvckThis is a macro Word97 virus construction tool. The constructor itself is a Word97document that contains seventeen modules: DW97MVCK, frmStartForm,frmVirusSourceName, frmVirusBody, frmStealth, frmRetro, frmPolymorphic,frmPayload, frmPayloadMessageBox, frmPayloadSetPassword, frmPayloadBeep,...

10. Constructor.MSWord.NTVCKThis is a Word2000 macro-virus construction tool. The constructor itself is aWord2000 document that contains 14 modules: NTVCK, frmPlugin, Main,frmSecret, frmcontact, frminfection, KillAV, frmPayload, frmStart, frmGreetz,frmAuthor, Ende, frmname, and boom. When run, the constructor displays a...



39/123

Malware-Related Programs

This is a tricky category, since it includes any legal software that hackers use to penetratecomputers. There is no predicting what software might fall into this group, as it depends

on the inventiveness of the computer underground. Once software has been identified asusable by hackers, they can download it without the knowledge or consent of a user to avictim machine and control it without triggering antivirus solutions or other securitysoftware. If legal software is used skillfully for illegal means, it can be extremely difficultto detect.

Dialers Downloaders FTP Servers Proxy Servers Telnet Servers

Web Servers IRC Clients PSWTool RemoteAdmin Tools Crackers Bad Jokes and Hoaxes

Dialers

These programs do not harm the machine they are installed on. However, there can be

serious financial consquences if such programs are not detected and deleted. Websiteowners use such programs to cause infected machines to call pay-to-view sites. Moreoften than not these are pornographic sites. Although the computer itself is undamaged, alarge phone bill makes these programs extremely unwelcome to computer and networkowners.

Dialers come in two varieties: Trojan dialers and malicious dialers. Trojan dialers areinstalled without the knowledge or consent of the user and dial pay-to view sitesautomatically. Dangerous dialers, on the other hand, inform the user of what calls arebeing made, and how much the calls will cost. Such diallers can be deinstalled usingstandard procedures. This second group could be classifed as malicious, since the initial

installation occurs without the consent of the user, but they offer the user a chance todecide what action to take.

Downloaders

Even legal downloading utilities can be dangerous, since they are usually programmed tofunction in background regime, without direct intervention from the user. It is easy for a


40/123

hacker to substitute links to infected resources for safe download sites, leading tomalware being downloaded to the victim machine without the user's knowledge.

FTP Servers

These are utilities which can be used to gain remote access to files. Once installed on asystem by a hacker, it is possible for remote users to download any files from the victimmachine, and also track activity on the infected computer.

Proxy Servers

These utilities were originally developed to secure internal networks by separatinginternal addresses from external users. However, hackers use them to connectanonymously to the Internet: the address of the proxy-server will be substituted for thehacker's real address.

Telnet Servers

These utilities were developed to provide remote access to resources on other machines.Hackers use them to gain full access to victim machines.

Web Servers

Web servers are utilities providing access to Web pages which are located in a definedarea of the file system. They are used by hackers to gain full access to the victim machinefile system.

IRC Clients

These utilities provide access to IRC channels. Many IRC clients, especially mIRC,incorporate powerful script languages which automate the IRC client. This functionalitycan be exploited to write Trojans and IRC worms. When installing a Trojan IRC programon a victim machine, hackers will often also surreptitiously install an IRC client as well.

Monitor

These are legal utilities which monitor computer and user activity. Commercial versions

of such utilities exist. Normally information on activity is saved to disk or sent to aspecified email address. Monitoring programs differ from Trojan spy programs only inthat they do not mask their presence in the system, and it is possible to deinstall them.


41/123

PSWTool

Such utilities restore lost passwords. They normally display information about thepassword on screen or save it to disk. When used in a hacker attack, this information willbe sent to the remote attacker.

RemoteAdmin

These remote administration tools provide hackers full control over the victim machine.

Tools

This category includes other free and commercial programs which are frequently used formalicious purposes.

Crackers

These programs are not viruses or trojans, but hacker's programs to hack different kindsof software. Usually they are harmless for installed software and just remove copy and/orkey protection in the protected programs.

Bad Jokes and Hoaxes

This group includes programs that do not cause any direct damage to the infectedmachine. However, they launch fake warnings about purported damage that has or will bedone. These can be messages warning users that drives have been reformatted, that avirus has been found, or symptoms of infection have been detected. The possibilities arelimited only by the so-called sense of humor of the virus writer responsible for aprogram.

Not-A-Viruses

1. not-a-virus:AdWare.CydoorThe program normally contains the following files: cd_clint.dll cd_load.execd_htm.dll cd_swf.dll iMesh.ex The cd_clint.dll file provides the main functionality.The program is capable of working with P2P networks such as Kazaa and Imesh. Theprogram creates the following registry keys:...

2. not-a-virus:AdWare.WildTangent.aThis program is effectively harmless. However, it can be installed on the victimmachine without the user's knowledge or consent. The program is a DLL file


42/123

approximately 280KB in size, written in Visual C++. No packer is used. The file isoften called wtkernel0100.dll The program is a web driver...

3. not-a-virus:JavaClass.Port25

This JavaClass.Port25 applet contains the "paint" function. This function is namedafter the HTML file with the same name. While starting it creates a new socket forthe host www.netscape.com:25. If the connection is successful the function willdisplay the following message: Success connecting to...

4. not-a-virus:Tool.Win32.AIDA.3862This program will harvest information about the infected computer, included allsystem components. It incorporates tests which can be used to check systemperformance and functionality. It may send this data to another computer, and it'spossible that this information may be used to semi- automate a...

5. not-a-virus:Tool.Win32.RebootThis program is detected by Kaspersky Anti-Virus extended databases. Whenlaunched the program will restart Windows, and either shut down the computer or endthe current user's session. It does not have any other payload, but it may be used byother malicious programs as a utility. The file name...

6. not-a-virus:Tool.Win32.RegPatch.a

This program is approximately 5KB in size (when packed) and packed using UPX. Itis designed to change system registry values. The file overlay contains an encrypted(xor 90h) .REG file. When launched, the file is saved in C:\ParaTemp.reg using thefollowing command: regedit.exe -s C:\ParaTemp.reg....

7. not-a-virus:Tool.Win32.TPE.aThis program is a patch constructor i.e. it can be used to create programs which willmodify other software. It has a wide range of functionality and configuration options.The program is used to produce small (less than 20KB) EXE files, which will modifyother program files and the system registry....

Hoaxes and Jokes


43/123

1. not-a-virus:Joke.Win32.Buttons.aThis is a joke program, not virus or trojan, but it operates so that may annoy a user.When run it displays the message box: The Button Generator Would you like somebuttons? [Yes] [No] In case of "No" the program just exits. In case of "Yes" it

displays several dozens of "Press me" message...

2. not-virus:BadJoke.Win16.AloapThis is a joke program, not virus or trojan, but its manifestation is trojan-like and canfright a user. When run it randomly moves all applications' windows on the screen("shakes" all windows, active window and background one). The joke program itselfhas hidden (not visible) window and to...

3. not-virus:Joke.JS.Spawn.bSpawn is a "joke". Once launching the Java-script contained within the infecteddocument's html a user's Internet Explorer browser window begins to move around.Besides this several more IE windows open in the background.

4. not-virus:Joke.Win32.ErroreThis "bad joke" simulates the Windows format functionality. When it is executed, itdisplays several fake "error messages" such as: Errore interno di Windows 345all'indirizzo 4E6F:942A Errore interno di Windows 591 all'indirizzo 93C0:6210Errore interno di Windows 712 all'indirizzo 7ED5:...

5. not-virus:Joke.Win32.FakeFormat.aFake Format simulates the Windows format functionality. Once the program is run,no matter which buttons are chosen, Fake Format starts to format the drive. The useris unable to stop, interrupt, or cancel this format. Once the fake formatting has beencompleted, the standard Windows format summary...

6. not-virus:Joke.Win32.JepRussJepRuss is a joke program - it is not a virus or a Trojan program. It displays tooscaring messages that can really frighten users. When this program launches itdisplays a standard message window with the text: Please Wait. Initialising... In amoment it displays a dialog box with the...


44/123

Who Writes Malicious Programs and

Why?Virus writers: four general types

Virus writers belong to one of four broad groups: cyber-vandals, who can be divided intotwo categories, and more serious programmers, who can again be split into two groups.

Cyber vandalism - stage 1

In the past, most malware was written by young programmers: kids who just had learnedto program who wanted to test their skills. Fortunately most of these programs did not

spread widely - the majority of such malware died when disks were reformatted orupgraded. Viruses like these were not written with a concrete aim or a definite target, butsimply for the writers to assert themselves.

Cyber vandalism - stage 2

The second largest group of contributors to malware coding were young people, usuallystudents. They were still learning programming, but had already made a consciousdecision to devote their skills to virus writing. These were people who had chosen todisrupt the computing community by committing acts of cyber hooliganism and cybervandalism. Viruses authored by members of this group were usually extremely primitive

and the code contained a large number of errors.

However, the development of the Internet provided space and new opportunities for thesewould-be virus writers.Numerous sites, chat rooms and other resources sprang up whereanyone could learn about virus writing: by talking to experienced authors anddownloading everything from tools for constructing and concealing malware to maliciousprogram source code.

Professional virus writers

And then these 'script kiddies' grew up. Unfortunately, some of them did not grow out of

virus writing. Instead, they looked for commercial applications for their dubious talents.This group remains the most secretive and dangerous section of the computerunderground: they have created a network of professional and talented programmers whoare very serious about writing and spreading viruses.

Professional virus writers often write innovative code designed to penetrate computersand networks; they research software and hardware vulnerabilities and use social


45/123

engineering in original ways to ensure that their malicious creations will not only survive,but also spread widely.

Virus researchers: the 'proof-of-concept' malware authors

The fourth and smallest group of virus writers is rather unusual. These virus writers callthemselves researchers, and they are often talented programmers who devote their skillsto develo

Documents

About Malware,Virus