Win32.Parv Viruses Information
This virus spreads under Win32 (Win95/98 and WinNT) and infects the PE EXE files (Portable Executable). The virus has quite large size for a program that is written in Assembler - about 15Kb. It is polymorphic virus.
The most interesting feature of this virus is its ability to send infected EXE files to the Internet by using standard Email protocols (see also other viruses that send infected messages via Email: "Win.RedTeam", "Macro.Word97.Antimarc", "Macro.Word.Innuendo", "Macro.Word.ShareFun").
Depending on the random counter the virus calls its second Internet-accessing routine. This time the virus does not spreads its copies, but just looks for the DialUp database and sends to virus' author.
The virus code contains author's "copyrights":
- Parvo BioCoded by GriYo / 29A - Win32 Tech Support by Jacky Qwerty / 29A
- Thanks to Darkman / 29A and b0z0 / Ikx for their ideas and strategy
- Parvo is a research speciment, do not distribute
- c1999 29A Labs all We create life -
Many virus routines (infection, polymorphic) have the same features like the "Win95.Marburg" virus has. The virus writes itself to the end of last file section; does not modify PE entry address but patches the original program's entry code with JMP_Virus instruction, or with a block of junk code that at the end passes the control to virus code; e.t.c.
When the virus takes control, the polymorphic decryption loop and additional lite decryption routine restore the virus code and pass the control to the main virus routine.
The virus protects its code by using CRC method. It calculates the CRC of its code and exits, if the CRC is not correct. It seems that this feature is necessary for the virus because it sends infected files via the Internet, so the CRC checking prevents corrupted copies execution.
The virus then scans Windows kernel and looks for file accessing, searching, and other API functions that are used by the virus. While looking for API functions the virus does not uses their names, but checksums. To find necessary string in Windows kernel the virus just calculates their CRCs one-by-one and compares the results with a table of pre-calculated values that are saved in virus code.
To infect files on the disk the virus looks for them in current, Windows and Windows system directories. The virus also affects the files in directories, that contain the installed Internet browser and Email reader. The virus gets these directories names from the System Registry.
The virus does not infect all files that are found, but only files with specific names: IEXPLORE.EXE, INSTALL.EXE, NETSCAPE.EXE, NOTEPAD.EXE, SETUP.EXE, WINZIP32.EXE, and some other. To compare file names the virus also uses the checksum method as while looking for API functions.
To return control to the host program the virus creates its copy with a random selected name, disinfects and executes it. The virus then waits for host file exiting, so the virus code stays in memory up to the moment the host program terminates. Although the virus code may stay in the memory for a long time, the virus is not memory resident. It does not hook any system events and does not intercept file opening/execution to infect them.
To send infected files to the Internet the virus connects the Internet by using standard Windows functions, gets a random selected Email address, send a hoax message to it and attaches to the message the infected EXE dropper (see the text of messages below). To get a victim Email address the virus goes to several newsgroups, reads random selected message and looks for FROM string in there. When this ID text is found, the virus uses followed address to send the infected message.
The infected file name is selected from three possible variants: MSEFIXI.EXE, LSERIAL.EXE or HOTEENS.EXE. The messages (including headers) are also selected from three variants:
Message 1 -------------------------------------------------------------
mail from: firstname.lastname@example.org from: email@example.com rcpt to: randomly selected address to: randomly selected address Subject: Present security risk using Microsoft Internet Explorer and Outlook Express
A new and dangerous virus has hit the Internet.
When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email to execute arbitrary code automaticly on the client workstation, thus infecting the machine.
Microsoft has been aware of this problem from the very beginning and presents here a patch for the two of our products in which it exploits.
Outlook 98 on Windows â 95, Windows 98 and Microsoft Windows NT â 4.0 Outlook Express 4.0, 4.01 (including 4.01 with Service Pack 1) on Windows 95, Windows 98 and Windows NT 4.0 Netscape Mail Clients
Customers using this products for Windows 95, Windows 98 or Windows NT 4.0 should execute the attached patch or download an updated patch from:
Please patch your computer(s) as soon as possible and help us fight this threat to the Internet.
Thank for your time.
Message 2 -------------------------------------------------------------
mail from: from: rcpt to: randomly selected address to: randomly selected address Subject: New and even larger serial number list out now!
Do you need a serial number for a unregistrated program of yours?
Do you feel like you have looked for it everywhere?
Even in the newest version of Phrozen Crews Oscar?
If you can answer -yes- to some of the above questions and are still looking for a serial number, this might be the program you have been waiting for.
We have collected serial numbers for many years and are now proud to release the very first version of our serial number collection, which contains more than 15.000 serial numbers.
Attached to this message is the very first version of our serial number collection.
Yours, Serial number collectors
Message 3 -------------------------------------------------------------
mail from: from: rcpt to: randomly selected address to: randomly selected address Subject: New and 100% free XXX site
Dear potential customer,
We have just opened a new erotic site with more than 10.000 .JPGs and more than 1.000 .MPG/.VIV/.AVI/.MOV/etc.
We offer you the opportunity of a lifetime, we are giving away a months access, without being charged, to our new site in exchange for your opinion.
All you have to do is execute the attached advert, which will generate your personal User ID, you dont even have to provide information as your personal credit card number, etc.
And if you like our site, please tell all your friends about us.
Top Viruses Visited Pages:
Baboo - 685 visits
Invader. - 546 visits
Firstling.199 - 271 visits
Spartak.110 - 243 visits
Macro.Excel.Hidemo - 242 visits
Coito.64 - 237 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 235 visits
Worm.P2P.Harex. - 233 visits
Small.58. - 225 visits
DDoS.Win32.Kozo - 206 visits
Random Viruses Pages: