|
|
I-Worm.Pla Viruses Information
| Name: |
I-Worm.Pla |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Plan
This is a variant of IWorm_LoveLetter Internet worm, it spreads in the same way as "LoveLetter" worm does.
The worm uses different variants of message subject and body. They may be empty or contains the texts:
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
Message: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
The subject and message body may be also randomly generated, the result looks like follows: "JUIEDO", "TIPOWU", "RESEAU", "HIKOGU", e.t.c.
The attached file name is also randomly constructed (in the same way as above) and has one of possible extensions:
".GIF.vbs"
".BMP.vbs"
".JPG.vbs"
Being activated the worm installs itself to the system. It copies itself to Windows directory with "reload.vbs" name, to Windows system direcory twice with "LINUX32.vbs" and random constructed name, and registers first two files in system registry auto-run section.
The worm also drops HTML file with "US-PRESIDENT-AND-FBI-SECRETS.HTM" name, but does not use it in any way.
The worm then connects MS Outlook and spreads to all addresses listed in address book. It then affects files on all drives, the list of affected extensions looks like follows:
VBS VBE JS JSE CSS WSH SCT HTA JPG JPEG MP3 MP2
The worm also downloads files from Web site:
http://members.fortunecity.com/plancolombia/macromedia32.zip
http://members.fortunecity.com/plancolombia/linux321.zip
http://members.fortunecity.com/plancolombia/linux322.zip
The first file is just a plain text, two other files are pictures in BMP format. It then moves these files into Windows directory with the names:
macromedia32.zip -> important_note.txt
linux321.zip -> logos.sys
linux322.zip -> logow.sys
and replaces two standard Windows logos as a result.
The worm has a payload routine that is activated on September 17th. That routine unmaps all network drives and displays the message:
Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. [random] (M.H.M. TEAM)
where "random" is five letters random word.
The worm also contains comments in its body:
===============================================================================================
"Plan Colombia" virus v1.0
by Sand Ja9e Gr0w (www.colombia.com)
Dedicated to all the people that want to be hackers or crackers, in Colombia
This program is also a protest act against the violence and corruption that Colombia livesall
I always wanting that all this finishes, I have said...
Santa fe de Bogotá 2000/09
I dedicate to all you the song "GoodBye" of Andreas Bochelli
=================================================================================================
Thanks God..!
A greeting for "Lina María" from "Santa fe de Bogotá"
A greeting for "Tizo" from "Spain"
And One kicked of tail to my friends, "eL ChE" and "ThE SpY" |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Socha.75
Markiz.197
Sine
Win16.HLLP.Hiro.1024
Natas.474
Macro.Excel97.Lad
Kirti.200
MutaGen-based viruse
Worm.Win32.Welchia.
Win32.HLLP.BadB
|
|
