Skip to main content

The Kaspersky Lab Electronic Newsletter #28

17 October 2002

Network Worms I-Worm.Chet I-Worm.Gismor I-Worm.Pepex Worm.P2P.Relmony Windows Viruses Win32.Ramlide Win32.Porex Linux Viruses Linux.Gildo Trojan Programs Backdoor.Cabrotor Trojan.Spy.GreenScreen Macro Viruses Macro.Word97.Nori Virus Constructors Constructor.VBS.SSIWG

Network Worms

I-Worm.Chet "Chet" is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 27KB in length and is written in Microsoft Visual C++. The worm activates from infected email messages only when a user clicks on the attached file. The worm then installs itself to the system and runs a spreading routine. To learn more details about this virus please click here. I-Worm.Gismor "Gismor" is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 8KB in length and is written in Assembler. Infected messages contain the following attributes (message fields):
Mail From:
From: MP3 Deluxe
To: My best friends
Subject: Phenomenal
Body: body is empty
Attach: MP3Player.exe
To run from infected messages the worm uses the IFrame security breach. "Gismor" then installs itself to the system and runs its spreading routine. To learn more details about this virus please click here. I-Worm.Pepex "Pepex" is a worm virus spreading via the Internet as an attachment to infected emails and also through the Kazaa network and IRC channels. The worm itself is a Windows PE EXE file about 32KB in length (when compressed by UPX, the decompressed size is about 80KB). "Pepex" is written in Microsoft Visual C++. Infected messages have the following message field attributes:
From: "Microsoft"
Reply-To: "Microsoft"
Subject: Internet Explorer vulnerability patch
Body: You will find all you need in the attachment.
Attach: setup.exe
The worm activates from infected emails only when a user clicks on the attached file. "Pepex" then installs itself to the system and runs its spreading routines. To learn more details about this virus please click here. Worm.P2P.Relmony "Relmony" is an Internet worm that spreads in Kazaa and Morpheus peer-to-peer file exchange networks. The worm replicates by making its copies in these networks' shared folders. The worm is a Windows application (PE EXE file) about 29K in size and is written in Visual Basic. Installation
The worm copies itself to the Windows auto-startup directories with the following names:
C:\WINNT\system32\config\systemprofile\StartMenu\Programs\Startup\system.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.exe

C:\WINDOWS\Start Menu\Programs\Startup\system.exe

To learn more details about this virus please click here.

Windows Viruses

Win32.Ramlide "Ramlide" is a non-dangerous, non-memory resident parasitic Win32, encrypted virus. It infects Win32 applications only. While infecting the virus encrypts itself and writes itself to the end of the file. When the infected file starts the virus infects *.EXE, *.SCR, *.CPL files in the current directory, and it then infects the following files in the Windows directory: CALC.EXE, NOTEPAD.EXE, CDPLAYER.EXE, WRITE.EXE, PBRUSH.EXE. On the 7th, 12th, 17th and 22nd of any month the virus drops the "ramlide.bmp" image file and registers it as desktop wallpaper. To learn more details about this virus please click here. Win32.Porex "Porex" is a memory resident parasitic and companion Win32 virus. The virus itself is Windows PE EXE file about 37KB in length and written in Microsoft Visual C++. The virus affects files of two types: Win32 PE executable files, and files with the .DOC filename extension. The virus affects files only if file size is above 10KB and less than 21MB. The virus searches for victim files on all available drives and in all directories. While infecting EXE files the virus writes itself to the beginning of the file. To learn more details about this virus please click here.

Linux Viruses

Linux.Gildo "Gildo" is a non-dangerous, memory resident parasitic virus. It was written in Assembler and uses system calls (syscall) when working with files. The virus infects ELF files and writes itself to the middle of these files. Once being run the virus divides its work into two tasks. The resident part scans the directories from the root. The virus checks the access rights for each found file. If a file has write access the virus will infect it. While infecting files the virus increases its code section size by 4096 bytes and writes its code to free space. Next the virus changes the parameters of ELF file upper sections and sets up a new Entry point for it. The virus displays this message on each start:
Gildo virus
email Gildo@jazz.hm (for comments)
To learn more details about this virus please click here.

Trojan Programs

Backdoor.Cabrotor "Cobrotor is a backdoor Trojan program (hidden remote control Trojan). The Trojan itself is a Windows PE EXE file written in Delphi. The original Trojan package contains three main executable files:
CaBrONaToR.exe - client to send commands to remote server
CaBrONeDiT.exe - server editor to modify default server settings
8======D.exe - server (trojan itself)
To learn more details about this virus please click here. Trojan.Spy.GreenScreen "GreenScreen" is a "spy" Trojan that installs itself to systema, hides itself and then captures screen images and saves them to disk files in encrypted form. Thus it allows a hacker to watch screen images. The Trojan itself is a Windows PE EXE file, compressed by AsPack and written in Delphi. The Trojan size differs depending on the specific Trojan version. To learn more details about this virus please click here.

Macro Viruses

Macro.Word97.Nori "Nori" is a dangerous macro virus that infects Microsoft Word documents when they are opened or created. As a result of virus activity the file "Iron.tmp" may appear in the root directory of drive C:. On April 1st the virus checks the system registry for the "RegisteredOrganization" key and if it equals
"IRON"
the virus destroys all the files on drive C:. If the "RegisteredOrganization" key contains any other value, the virus deletes the content of any document opened on April 1st. To learn more details about this constructor please click here.

Virus Constructors

Constructor.VBS.SSIWG "VBS.SSIWG" is script-worm construction tool. It was used to create the "SSIWG" virus families. The constructor is able to create worms, which can replicate using e-mail and IRC channels (using the mIRC or pIRCh programs). The worms created using this constructor can also:
  • start automatically in Windows
  • encrypt their code
To learn more details about the constructor please click here.

The Kaspersky Lab Electronic Newsletter #28

Network Worms I-Worm.Chet I-Worm.Gismor I-Worm.Pepex Worm.P2P.Relmony Windows Viruses Win32.Ramlide Win32.Porex Linux Viruses Linux.Gildo Trojan Programs Backdoor.Cabrotor Trojan.Spy.GreenScreen Macro Viruses Macro.Word97.Nori Virus Constructors Constructor.VBS.SSIWG
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases