Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Musi Viruses Information

Name: I-Worm.Musi
Category: Viruses
Description: Details
I-Worm.Music

This is an Internet virus-worm written in VisualBasic. It is a three-component Windows EXE file that spreads via e-mail. The worm has an entertaining payload to hide its main activity: it displays a Christmas scene and plays a tune. The infected message's Subject and Text are:
Subject: Testing to send file
Text: Hi, just testing email using Merry Christmas music file, not bad music.
or:
Text: Hi, just testing email using Merry Christmas music file, you'll like it.
The worm has three components: Dropper, Sender and WinSock library.
1. The worm dropper is sent attached to e-mails. When it is being run, it copies itself to the Windows system directory with SYSMCM.EXE and registers in the auto-run registry key, as well as plays a tune and displays pictures to hide itself.
This worm component doesn't send any messages. To spread further, the worm connects to Internet sites and obtains the rest of its components from there, and copies to the Windows directory with the names: SYSDRV.EXE and SYSTMP.DLL.
2. Second worm component (Sender), is obtained from an Internet site and copied to the Windows system directory. It then obtains e-mail addresses from the Windows Address Book and sends infected messages (with a Dropper attached) there.
3. WinSock library is a standard MS Visual Studio DLL library that is used to access Windows sockets.
The worm is able to upgrade its components from an Internet site: it downloads three files from there (that are supposed to be its plugins), detects their versions, and if these versions are above those currently used, the worm replaces its components with new ones. So the worm is able to change its functionality depending on its author needs.
The worm creates a new registry key to run itself upon each Windows startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SysDrv = %SystemDir%sysmcm.exe
It also creates one more key where it stores its internal data:
HKLMSoftwareMicrosoftMCM
FirstRun
LastRun
RunMCM
Status
SMTP
Version = 001111




Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Trojan-Dropper.Win32.Small.y
Hungry.63
Pandor
Kerplunk.305
Win95.Youd.138
Macro.Word97.Presiden
HooDoo.261
I-Worm.Totili
Iron.18
Tver.30


 

© 2006-2008 spyware32.com - Privacy Policy