Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Stopin. Viruses Information

Name: I-Worm.Stopin.
Category: Viruses
Description: Details
I-Worm.Stopin.a

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, decompressed size is about 85K), written in Borland C++.
Infected messages contain:
Subject: Secret for youall
Body:
Hi Friend,
I send you my last work.
Mail me if you have some suggests.
See you soon. Best Regards.
Attachment: My_Work.exe

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory with the MSGDI32.EXE name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft GDI 32 bits = %SystemDir%MSGDI32.EXE
The worm then displays a fake error message and exits:

While installing, the worm also looks for and terminates the following applications:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE

Spreading
Upon next start-up (being run by Registry "Run=" key), the worm activates its e-mail spreading routine. To send infected messages, the worm uses Win32 MAPI functions. To get victim e-mail addresses, the worm looks for and scans the following files:
*.HTM
*.HT*
*.DOC

Payload
On the 7th of any month, the worm displays the following message:

On the 11th of any month, it displays the following text:
Can we try to stop the conflicts ? YES OF COURSE !'
On the 28th, it creates the "StopIntifada.htm" file, writes the following text to there and opens it:
Stop Violence between Palestinians and Israeli
HOW TO STOP THE VIOLENCE
-THE ISRAELIS:
To take the israelis tank out of the palestinians autonomous city.
Don't bomb civil place after a terrorist bomb attack.
To arrest and to kill the leaders of terrorist groups.
-THE PALESTINIANS:
To stop to provoke the israelis army.
To stop the terrorist attacks.
-THE BOTH:
To try to accept the other people.
TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
Thanx to read this.



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
DAME-based Viruse
OS2.MyNam
Radish.844
Wormsign.171
Win95.Shoere
Win95.Zom.86
I-Worm.Sysi
Timishoara.213
Net-Worm.Win32.Mytob.
Anni famil


 

© 2006-2008 spyware32.com - Privacy Policy