Friday, April 25, 2008

Malware Celebrities: - Some Well Known Malwares

Kraken Botnet (April 9 2008)

Kraken has reportedly infected machines in at least 50 of the Fortune 500 companies and has reached the size of over 400,000 bots. The Kraken botnet virus may have been designed to evade anti-virus software, and is apparently virtually undetectable to conventional anti-virus software.

As of April 2008, the Kraken botnet is the world's second largest botnet. On April 9, the computer security company Damballa issued a response to claims that Kraken was just another name for Bobax. A week later Damballa released instructions for removing the Kraken malware from computers and a list of IPs comprising the Kraken botnet. The list shows that on April 13, 2008 that were 495,000 computers in the Kraken botnet.

The Malware Research team at SecureWorks also claims that Kraken is another name for an existing botnet, Bobax, also known as Bobic, Oderoor, Cotmonger, and Hacktool.Spammer.

Storm Worm (January 17, 2007)

The Storm Worm (named so by F-Secure), is a backdoor Trojan horse that affects computers using Microsoft operating systems. It was discovered on January 17, 2007.The worm is also known as:

  • Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
  • CME-711 (MITRE)
  • W32/Nuwar@MM and Downloader-BAI (McAfee)
  • Troj/Dorf and Mal/Dorf (Sophos)
  • Trojan.DL.Tibs.Gen!Pac13
  • Trojan.Downloader-647
  • Trojan.Peacomm (Symantec)
  • TROJ_SMALL.EDW (Trend Micro)
  • Win32/Nuwar (ESET)
  • Win32/Nuwar.N@MM! CME-711 (Microsoft)
  • W32/Zhelatin (F-Secure and Kaspersky)
  • Trojan.Peed, Trojan.Tibs (BitDefender)

The Storm Worm began infecting thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe". During the weekend there were six subsequent waves of the attack. As of January 22, 2007, the Storm Worm accounted for 8% of all infections globally.


Originally propagated in messages about European windstorm Kyrill, the Storm Worm has been seen in the wild also in emails with the following subjects:

  • A killer at 11, he's free at 21 and kill again!
  • U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • British Muslims Genocide
  • Naked teens attack home director.
  • 230 dead as storm batters Europe.
  • Re: Your text
  • Radical Muslim drinking enemies's blood.
  • Chinese/Russian missile shot down Chinese/Russian satellite/aircraft
  • Saddam Hussein safe and sound!
  • Saddam Hussein alive!
  • Venezuelan leader: "Let's the War beginning".
  • Fidel Castro dead.
  • If I Knew

When the attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F Trojan, and the W32.Mixor.Q@mm worm. The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates. Some of the known names for the attachments include:

  • Postcard.exe
  • Ecard.exe
  • FullVideo.exe
  • Full Story.exe
  • Video.exe
  • Read More.exe
  • FullClip.exe
  • GreetingPostcard.exe
  • MoreHere.exe
  • FlashPostcard.exe
  • GreetingCard.exe
  • ClickHere.exe
  • ReadMore.exe
  • FlashPostcard.exe
  • FullNews.exe
  • NflStatTracker.exe
  • ArcadeWorld.exe
  • ArcadeWorldGame.exe

Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus:

  • With_love.exe
  • Withlove.exe
  • Love.exe
  • Frommetoyou.exe
  • Iheartyou.exe
  • Fck2008.exe
  • Fck2009.exe

Storm Botnet

The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control. Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network. On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers. Other sources have placed the size of the botnet to be around 250,000 to 1 million.

Rootkit Activity

Another action the Storm Worm takes is to install the rootkit Win32.agent.dh. Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list.

April Fool's Day

On April 1, 2008, a new storm worm was released onto the net, with April Fools-themed subject titles. The e-mail messages contain links that direct users to Web sites that contain malware. Once the files are downloaded and executed on the computer it sets a firewall exception rule and then attempts to 'phone home' using various outgoing ports.

Zotob (August 16, 2005 - Farid Essebar and Atilla Ekici)

Zotob was derived from the Rbot worm. Rbot can force an infected computer to continuously restart. Its outbreak on August 16, 2005 was covered "live" on CNN television, as the own network computers got infected.

Win32/Zotob is a network worm that primarily targets Microsoft Windows 2000 computers that do not have Microsoft Security Bulletin MS05-039 installed. MS05-039 patches the Windows Plug-and-Play buffer overflow vulnerability. Win32/Zotob can also infect computers running other Windows operating systems if it is delivered through e-mail, instant messaging, or other routes. The worm has a backdoor component that connects to an IRC server to receive commands from attackers.

On executation it modifies the Windows registry so that the worm copy runs each time Windows starts. It scans random IP addresses to establish connections with other computers. The worm sends exploit code to a remote computer when a connection is established. If the remote computer is running Windows 2000 and does not have MS05-039 installed, the exploit code causes the remote computer to download and run a copy of the worm. Connects to an IRC server to receive commands such as the following from attackers: Retrieve system information such as CPU speed, memory usage, Windows operating system, connection type, IP address, and Windows logon information.

On August 26, 2005, Farid Essebar and Atilla Ekici were arrested in Morocco and Turkey, respectively. They are believed to be the men behind the worm's coding.

Bagle (January 18, 2004)

Bagle (also known as Beagle) is a mass-mailing computer worm written in pure assembly and affecting all versions of Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variation, Bagle.B is considerably more infectious.

Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the victim computer. It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe) and opens a backdoor on TCP port 6777 (Bagle.A) or 8866 (Bagle.B). It does not mail itself to addresses containing strings such as "", "", "@microsoft" or "@avp". The subject line, body, and attachment name of the email vary. The attachment will have a .com, .cpl, .exe, .scr, or .zip file extension. If the file attachment is .zip file, it will be password protected. This zip file will be detected as W32.Beagle@mm!zip. The worm is packed with PeX.

According to an April 2005 TechWeb story, the worm is "usually credited with starting the malware-for-profit movement among hackers, who prior to the ground-breaking worm, typically were motivated by notoriety.” This worm accounted for a financial loss of tens of millions of dollars...and still counting.

Mydoom (January 26, 2004)

Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm.

The worm contains the text message “andy; I'm just doing my job, nothing personal, sorry,” leading many to believe that the worm's creator was paid to do so. Early on, several security firms published their belief that the worm originated from a professional underground programmer in Russia. The actual author of the worm is unknown.

Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25% of Mydoom.A-infected hosts targeted with a flood of traffic.

At its peak, slowed global Internet performance by 10 percent and Web load times by up to 50 percent. The replication was so successful that computer security experts have speculated that one in every 10 e-mail messages sent during the first hours of infection contained the virus. MyDoom was programmed to stop spreading after February 12, 2004.

Initial analysis of Mydoom suggested that it was a variant of the Mimail worm — hence the alternate name Mimail.R — prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.

Mydoom primarily spreads via e-mail, appearing as a transmission error, with subject lines including “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed” in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the “shared folder” of peer-to-peer file-sharing application KaZaA in an attempt to spread that way.

The original version, Mydoom.A, is described as carrying two payloads:

  • A backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer); this is essentially the same backdoor used by Mimail.
  • A denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems.

A second version, Mydoom.B, as well as carrying the original payloads, also targets the Microsoft website and blocks HTTP access to Microsoft sites and popular online antivirus sites, thus blocking virus removal tools or updates to antivirus software.

Netsky (February 16, 2004 - Sven Jaschan)

Netsky is a prolific family of computer worms. The first variant appeared on Monday, February 16, 2004. The "B" variant was the first family member to find its way into mass distribution. It appeared on Wednesday, February 18, 2004.

Although individual functions vary widely from virus to virus, the Netsky family perhaps is most famous for comments contained within the code of its variants insulting the authors of the Bagle and MyDoom worm families and, in some cases, routines that removed versions of these viruses. The "war" as it was referred to in the media caused a steady increase in the number of variant viruses produced in these families. As of June 2004, Bagle had approximately 28, Netsky approximately 29, and MyDoom approximately 10.

Other symptoms of Netsky included beeping sounds on specified dates, usually in the morning hours. The worm was sent out as an e-mail, enticing recipients to open an attachment. Once opened, the attached program would scan the computer for e-mail addresses and e-mail itself to all addresses found.

Until October 2006, the P variant of this virus remained the most prevalent virus being sent in e-mail throughout the world, despite being over two and a half years old. 18-year-old Sven Jaschan of Germany confessed to having written these, and other worms, such as Sasser.

Sasser (April 30, 2004 - Sven Jaschan)

Sasser, also known as the Big One, is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Some machines running Windows 98 were infected. Like other worms, Sasser spreads by exploiting the system through a vulnerable network port. Thus it is particularly potent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. Microsoft documents the specific vulnerability that Sasser exploits in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.


Sasser was first noticed and started spreading on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). Microsoft patched the LSASS vulnerability in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writers reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update. The most common characteristic of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.


Sasser was at first believed to have been authored in Russia by the same person(s) who created another worm usually referred to as Lovsan, MSBlast or Blaster (due to the media), a connection indicated by code similarities between the two, but on May 7, 2004, 18-year old German computer science student Sven Jaschan from Rotenburg, Lower Saxony was arrested for writing the worm. He immediately confessed to having written it when he was 17 years old. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. (The worm was released on his 18th birthday (April 29, 2004).) Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, July 8, 2005, he received a 21 month suspended sentence.

SQL Slammer (January 25, 2003)

SQL Slammer, also known as Sapphire, was launched on January 25, 2003. It was a worm that had a noticeable negative impact upon global Internet traffic. The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. Named by Christopher J. Rouland, the CTO of ISS, Slammer was first brought to the attention of the public by Michael Bacarella - see Notes. The program did not use the SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products, for which a patch had been released six months earlier in MS02-039. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, W32/SQLSlammer and Helkern.

Interestingly enough, it didn't seek out end users' PCs. Instead, the targets were Servers. The virus was a single-packet, 376-byte worm that generated random IP addresses and sent itself to those IP addresses. If the IP address was a computer running an unpatched copy of Microsoft's SQL Server Desktop Engine, that computer would immediately begin firing the virus off to random IP addresses as well. The outrageously high amounts of traffic overloaded routers across the globe, which created higher demands on other routers, which shut them down, and so on.

Technical Information

The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited. It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected).

The worm was made possible by software security vulnerability in SQL Server first reported by Microsoft on July 24, 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched -- including some at Microsoft.

The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed (became unusable), and the "neighbor" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether. Ironically because the SQL slammer worm was so small in size, sometimes it was able to get through and legitimate traffic was not. Because SQL Slammer erupted on a Saturday, the damage was low in dollars and cents. However, it hit 500,000 servers worldwide, and actually shut down South Korea's online capacity for 12 hours.

SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver. Two key aspects contributed to SQL Slammer's rapid propagation. The worm infected new hosts over UDP, and the entire worm (only 376 bytes) fits inside a single packet. As a result, no connection was necessary for an infected host to attempt to infect another machine. Each infected host could instead simply "fire and forget" packets as rapidly as possible (generally hundreds per second).

Who discovered it?

There is contention as to who found "Slammer" first. This is really impossible to determine. However, in terms of who first alerted the general public, this can be attributed to Michael Bacarella who posted a message to the Bugtraq security mailing list entitled "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!". This was sent at 02:11:41 AM CST on the 25th of January 2003.

CoolWebSearch (May 2003)

CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) first appeared in May 2003 and is well known as a spyware program, which installs itself on Windows, based computers. CoolWebSearch Spyware tops the list of the most menacing spyware applications. It is said to be a highly intricate, complicated, and deceitful browser hijackers of all times.

CoolWebSearch has numerous effects when it is successfully installed on a user's computer. The program can change an infected computer's web browser homepage to, and although originally thought to only work on Internet Explorer, recent variants affect Mozilla Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers. Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.

Some versions of CoolWebSearch can be installed through drive-by installation, in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labeling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. Other attempts to access websites are redirected to pay-per-click search engines that may install more malware display ads. Some variants of CWS also add links to pornography and gambling sites to the user's Desktop, Internet Explorer's bookmarks and history. Certain versions attempt to edit users' trusted sites and modify security settings as well as to hide from removal programs. Variants are often named for the effects they have such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.


1. CWS.Aboutblank

2. CWS.Addclass

3. CWS.Alfasearch

4. CWS.Bootconf

5. CWS.CameUp

6. CWS.Cassandra

7. CWS.Control

8. CWS.Ctfmon32

9. CWS.Datanotary

10. CWS.Dnsrelay

11. CWS.Dreplace

12. CWS.Gonnasearch

13. CWS.Googlems

14. CWS.Hiddendll

15. CWS.Homesearch

16. CWS.Loadbat

17. CWS.Msconfd

18. CWS.Msconfig

19. CWS.Msinfo

20. CWS.Msoffice

21. CWS.Msspi

22. CWS.Mupdate

23. CWS.Oemsyspnp

24. CWS.Olehelp

25. CWS.Oslogo

26. CWS.Qttasks

27. CWS.Q-url3

28. CWS.Realyellowpage

29. CWS.Searchx

30. CWS.Smartfinder

31. CWS.Smartsearch

32. CWS.Sounddrv

33. CWS.Svchost32

34. CWS.Svcinit

35. CWS.Systeminit

36. CWS.Systime

37. CWS.Tapicfg

38. CWS.Therealsearch

39. CWS.Vrape

40. CWS.Xmlmimefilter

41. CWS.Xplugin

42. CWS.Xxxvideo

43. CWS.Yexe

44. CWS.Winproc32

45. CWS.Winres

46. CWS.Xmlmimefilter

47. CWS.Aboutblank

48. CWS.Systeminit

49. CWS.Sounddrv

50. CWS.Searchx

51. CWS.Realyellowpage

52. CWS.SysTime

53. CWS.HomeSearch

54. CWS.Look2Me

55. CWS.MSFind

56. CWS.Cassandra

Affiliate variants

1. CWS.Aff.iedll

2. CWS.Aff.Madfinder

3. CWS.Aff.Tooncomics

4. CWS.Aff.Winshow

Creators's terms of service use the laws of Quebec, whilst their DNS registration lists an address in the British Virgin Islands, and their web server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to and appears to be related to The names of the creators currently remain unknown.


There are programs such as CWShredder and McAfee's Beta Command-Line Scanner, which can be used to remove the vast majority of CoolWebSearch variants from infected computers. Windows' System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch. However, due to the fact that CoolWebSearch can hide in the System Restore files, this is not a recommended solution, and it is probably wiser to clear System Restore than to use it.

Sobig (August 2003)

The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003. Although there were indications that tests of the worm were carried out as early as August 2002, Sobig.A was first found in the wild in January 2003. Sobig.B was released on May 2003. It was first called Palyh, but was later renamed to Sobig.B after anti-virus experts discovered it was a new generation of Sobig. Sobig.C was released May 31 and fixed the timing bug in Sobig.B. Sobig.D came a couple of weeks later followed by Sobig.E in June 25. On August 19, Sobig.F became known and set a record in sheer volume of e-mails. The worm was most widespread in its "Sobig.F" variant. Sobig accounted for a financial loss totaling to 5 to 10 billion dollars and over 1 million infected PCs.

On November 5, 2003, Microsoft announced that they would pay $250,000 for information leading to the arrest of the creator of the Sobig worm. To date, the perpetrator has not been caught.

Technical details

Sobig is a computer worm in the sense that it replicates by itself, but also a Trojan horse in that it masquerades as something other than malware. The Sobig worm will appear as an electronic mail with one of the following subjects:

  • Re: Approved
  • Re: Details
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

It will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:

  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

The Sobig viruses infect a host computer by way of the above-mentioned attachment. When this is started they will replicate by using their own SMTP agent engine. E-mail addresses that will be targeted by the virus are gathered from files on the host computer. The file extensions that will be searched for e-mail addresses are:

  • .dbx
  • .eml
  • .hlp
  • .htm
  • .html
  • .mht
  • .wab
  • .txt

The Sobig.F variant was programmed to contact 20 IP addresses on UDP port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the WinGate proxy server software - a legitimate product - in a configuration allowing it to be used as a backdoor for spammers to distribute unsolicited e-mail. The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called tElock. The Sobig.F worm deactivated itself on September 10, 2003.

Blaster (August 11, 2003)

The Blaster Worm (also known as Lovsan or Lovesan) was a computer worm that spread on computers running the Microsoft operating systems, Windows XP and Windows 2000, during August 2003. The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Blaster accounted for a financial loss totaling to 2 to 10 billion dollars, hundreds of thousands of PCs infected.

On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005. The worm was programmed to start a SYN flood on August 15, 2003 against port 80 of, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was instead of to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.

The worm spread by exploiting a buffer overflow in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039.

The worm contains two messages hidden in strings. The first message hidden in string:

I just want to say LOVE YOU SAN!!

This is why the worm is sometimes called the Lovesan worm. The second The first message hidden in string:

Billy gates why do you make this possible? Stop making money and fix your software!!

This is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.

Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down. If the worm detects a connection to the Internet (regardless of dial-up or broadband), this can even lead to the system becoming so unstable that it displays the following message and then restarts (usually after 60 seconds):

Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.

That was because either the /GS check code terminated or the buffer overflow crashed RPCSS. This was the first indication many users had of infection; it often occurred a few minutes after every startup on compromised machines. For reference, a user can move back the time or date on the system clock, gaining that amount of time before Windows restarts itself. For example, moving the date back one year will allow the user 365 days and 60 seconds before the system restarts itself, thus allowing time for disinfections. Another way to stop this message is to run shutdown -a.

Code Red (July 13, 2001)

Also known as Bady, Code Red was designed for maximum damage. The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server. The programmers at eEye Digital Security performed the most in-depth research on the worm. They also gave the worm its name, a reference to a variety of Mountain Dew soft drink and the phrase "Hacked By Chinese!" with which the worm defaced websites. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000. It accounted for a financial loss of 2.6 billion dollars.

Exploited vulnerability

The worm exploited vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.

Worm payload

The payload of the worm included:

· It defaced the affected web site to display:

HELLO! Welcome to! Hacked By Chinese!

· It tried to spread itself by looking for more IIS servers on the Internet.

· It waited 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.

Top 10 Countries
Country          No. Of Infection                   % Of Infected Systems
US                          157694                                   43.91
KR                          37948                                     10.57
CN                          18141                                     5.05
TW                         15124                                     4.21
CA                          12469                                     3.47
UK                          11918                                     3.32
DE                          11762                                     3.28
AU                          8587                                       2.39
JP                           8282                                       2.31


The primary observation to make about the Code-Red worm is the speed at which a malicious exploit of a ubiquitous software bug can incapacitate host machines. In particular, physical and geographical boundaries are meaningless in the face of a virulent attack. In less than 14 hours, 359,104 hosts were compromised. The global Internet community dodged a bullet with the Code-Red worm: little damage was actually inflicted in the attack. The worm did no significant damage to the machines it infected. It had a preset cutoff time. Although it attempted to launch a Denial of Service (DoS) attack against, it orchestrated the attack against the IP address of the server, rather than the domain name, and actually checked to make sure that port 80 at the IP address was active before launching the denial of service phase of the attack. These features made it trivially easy to disable the Denial of Service (phase 2) portion of the attack. We cannot expect such weaknesses in the design of future attacks.

This assault also demonstrates that machines operated by home users or small businesses (hosts less likely to be maintained by a professional sysadmin) are integral to the robustness of the global Internet. As is the case with biologically active pathogens, vulnerable hosts can and do put everyone at risk, regardless of the significance of their role in the population.

The Code-Red worm is a wake-up call. This exploit demonstrates clearly the need to keep machines up-to-date with security developments. This exploit also underscores the need to back up critical systems; the worm could easily have corrupted data, reformatted hard drives, or caused other irreparable damage. Indeed, in the final analysis, we should all be uncomfortable with the extent to which luck, rather than proactive diligence, maintains the stability of the Internet infrastructure.

Code-Red also provides the Internet community a chance to test its response to a virulent security threat with minimal long-term damage. There was, however, some unexpected collateral damage to infrastructure: printers, routers, switches, dsl modems, and other devices with web interfaces crashed, rebooted or were otherwise damaged by the worm's probes. We should assess our response to the attack -- How quickly and reliably can we disseminate news about the threat? How quickly can infected hosts be located, isolated, and repaired? In the case of the Code-Red worm, even was infected, and many hosts were re-infected during attempts to patch them.

Nimda (September 2001)

Nimda is a computer worm, isolated in September 2001. It is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this relationship ended up being untrue.

Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000, or ME and servers running Windows NT and 2000. The worm's name spelled backwards is "admin". The author of Nimda remains unknown.

Methods of infection

Nimda was so effective partially because it—unlike other famous malware like the Morris worm or Code Red—uses five different infection vectors:

  • Via email
  • Via open network shares
  • Via browsing of compromised web sites
  • Exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.)
  • via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

ILOVEYOU (May 3, 2000)

The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript. The worm, first discovered in Hong Kong, arrived in e-mail boxes on May 4, 2000, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".

Two aspects of the worm made it effective:

  • It relied on social engineering to entice users to open the e-mail and ensure its continued propagation.
  • It employed a mechanism — VBScripts — that, while not entirely novel, had not been exploited to such a degree previously to direct attention to their potential, reducing the layers of protection that would have to be navigated for success.

Its massive spread moved westward as workers arrived at their offices and encountered messages generated by people from the East. Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers. This worm accounted for a financial loss worth 10 to 15 billion dollars.


It began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), infecting 10 percent of all computers connected to the Internet and causing about $5.5 billion in damage. Most of the "damage" was the labor of getting rid of the virus. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.

This particular malware caused widespread outrage, making it the most damaging worm ever. The worm overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the worm to everyone on a user's contact list. This particular worm only affected computers running the Microsoft Windows operating system. While any computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.


The ILOVEYOU worm is believed to have been written by Chris Moon. The Barok Trojan horse used by the worm is believed to have been written by Onel de Guzman, a Filipino student of AMA Computer University in Makati, Philippines.

An international manhunt for the perpetrator finally led to a young programming student. On May 11 (one week after the virus spread), he held a news conference and said that he did not mean to cause so much harm. He was unable to graduate because the university rejected his thesis on the basis of its illegality. Helped by a group of friends called the Grammersoft Group, he distributed his virus the day before the school held their graduation ceremony.

The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files, and when found, makes the files hidden, copies itself with the same filename and appends a .VBS.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.


1. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Subject Line: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.

2. Attachment: Very Funny.vbs
Subject Line: fwd: Joke
Message Body: empty

3. Attachment: mothersday.vbs
Subject Line: Mothers Day Order Confirmation
Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day!

4. Attachment: virus_warning.jpg.vbs
Subject Line: Dangerous Virus Warning
Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.

5. Attachment: protect.vbs
Subject Line: Virus ALERT!!!
Message Body: a long message regarding VBS.LoveLetter.A

6. Attachment: Important.TXT.vbs
Subject Line: Important! Read carefully!!
Message Body: Check the attached IMPORTANT coming from me!

7. Attachment: Virus-Protection-Instructions.vbs
Subject Line: How to protect yourself from the IL0VEYOU bug!
Message Body: Here's the easy way to fix the love virus.

8. Attachment: KillEmAll.TXT.VBS
Subject Line: I Cant Believe This!!!
Message Body: I Cant Believe I have Just received This Hate Email. Take A Look!

9. Attachment: ArabAir.TXT.vbs
Subject Line: Thank You For Flying With Arab Airlines
Message Body: Please check if the bill is correct, by opening the attached file

10. Attachment: IMPORTANT.TXT.vbs
Subject Line: Variant Test
Message Body: This is a variant to the vbs virus.

11. Attachment: Vir-Killer.vbs
Subject Line: Yeah, Yeah another time to DEATH...
Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.

12. Attachment: LOOK.vbs
Subject Line: LOOK!
Message Body: hehe...check this out.

13. Attachment: BEWERBUNG.TXT.vbs
Subject Line: Bewerbung Kreolina
Message Body: Sehr geehrte Damen und Herren!

14. Subject Line: Is this you in this picture?
Message Body: Is this you in this picture?


Narinnat Suksawat, a 25-year-old Thai software engineer, was the first person to write software that repaired the damage caused by the worm, releasing it to the public on May 5, 2000, 24 hours after the worm had spread. "Rational Killer", the program he created, removed virus files and restored the previously removed system files so they again functioned normally. Two months later, Narinnat was offered a senior consultant job at Sun Microsystems and worked there for two years. He resigned to start his own business. Today, Narinnat owns a software company named Moscii Systems, a system management software company in Thailand.

Melissa (March 26, 1999)

The Melissa worm, also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus, hence leading some to classify it as a computer worm. First found on March 26, 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the worm. Melissa was not originally designed for harm, but it overflowed servers and caused unplanned problems.

Melissa was first distributed in the Usenet discussion group The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.

Melissa was written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida. The creator of the virus called himself ‘Kwyjibo’, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component. Smith was sentenced to 20 months in a federal prison and fined $5,000 United States dollars. This arrest was a result of collaboration between the FBI, New Jersey State Police and Monmouth Internet. Melissa accounted for a financial loss of 300 to 600 million dollars.

Melissa can spread on word processors Microsoft Word 97 and Word 2000. It can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95, Microsoft Office Word 2003, Word 2004 (Mac), and Microsoft Office Word 2007, nor can it mass-mail itself via any other e-mail client, even Outlook Express or Windows Mail (Outlook Express version in Windows Vista).

If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.

When the macro mass-mails, it collects the first 50 entries from the alias list or address book, and sends it to the e-mail addresses of those names.


This variant also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes.

  • C:\
  • C:\IO.SYS
  • C:\
  • C:\Suhdlog.dat
  • D:\
  • D:\Io.sys
  • D:\Suhdlog.dat


This is another variant of the original Melissa macro virus, and is akin to Melissa.U. It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book. The subject line of the infected e-mail sent out is: "My Pictures ()", where is the name to whom the sender's copy of Microsoft Word is registered.

There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z. Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".


This is the same as Melissa.A.


This is what the e-mails from this version contain:

Subject: Extremely URGENT: To All E-Mail User - 
Body: This announcement is for all E-MAIL users. Please take note that our E-Mail Server will down and we recommended you to read the document, which is attached with this E-Mail.

Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month. The payload consists of the worm inserting the following string into the document: "Worm! Let's We Enjoy."

CIH (September 1998)

CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau (Chen YingHao) of Taiwan. It is considered to be one of the most harmful widely circulated viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.

The name "Chernobyl Virus" was coined some time after the virus was already well known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus writer's birthday) and the Chernobyl accident, which happened in Ukraine on April 26, 1986.


In September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that were infected with the virus. In October 1998, a demo version of the Activision game SiN was infected by one of its mirror sites. In March 1999, several thousand IBM Aptivas shipped with the CIH virus, just one month before the virus would trigger.

CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia. CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS. Both of these payloads served to render the host computer inoperable, and for laypersons the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.

Today, CIH is not as widespread as it once was; due to awareness of the threat and the fact it only affects older Windows 9x (95, 98, ME) operating systems. CIH accounted for a financial loss amounting to 20 to 80 million dollars worldwide and countless amounts of PC data destroyed.

The virus made another comeback in 2001 when a variant of the Loveletter Worm in a VBS file that contained a dropper routine for the CIH virus was circulated around the Internet, under the guise of a nude picture of Jennifer Lopez.

A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not a considered serious threat.

CIH is considered a threat only if it infects programs used by mass-mailing computer worms, such as Klez, or if the Anjulie Worm comes into play.


CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, Windows XP or Windows Vista. CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang. The second payload tries to write to the Flash BIOS. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.

For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, and the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a tool like Fix CIH can perform a complete recovery with no loss of user data automatically. If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.

If the second payload goes off without a hitch, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.

CIH v1.2/CIH.1103

This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT.

CIH v1.3/CIH.1010A and CIH1010.B

This variant also activates on June 26. It contains the string: CIH v1.3 TTIT.

CIH v1.4/CIH.1019

This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG.


This variant activates on August 2 instead of April 26.


This is a minor, fairly recent variation that appeared on December 2002.


The CIH got a new look, while scanning the security holes inside the Windows Networks. Windows XP got prone to it when some people disliked the windows validation tool. CIH caused IP Conflicts, Font removal, System Netbios Conflicts on the many windows xp/server systems. From a report by astalavista group, this can infect network systems because many anti-virus software are unaware of this type of virus, and it actually does not harm a system, but prompt conflicts on port 139 of the windows systems.


Most antivirus software will recognize and remove CIH. However, CIH has a lasting legacy even after infected files have been cleaned, whether or not the payload was delivered. Due to its infection mechanism, most antivirus software can deactivate the virus but cannot completely clean infected files. This has certain ramifications. First, infected files cannot be restored to their original state, and will therefore produce different hashes or checksums than the original file, which could cause the file to fail integrity checks. Secondly, because the virus signature is still present within the file, the antivirus software will continue to flag infected files, usually as "CIH (inactive)" or some variation thereof. The only way to be completely rid of CIH remnants is to replace the affected files with copies of untouched originals. For systems that were thoroughly infected, this likely entails a complete reinstallation of the operating system and software.