Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

This virus spreads under Win32 (Win95/98 and WinNT) and infects the PE EXE files (Portable Executable). The virus has quite large size for a program that is written in Assembler - about 15Kb. It is polymorphic virus.

The most interesting feature of this virus is its ability to send infected EXE files to the Internet by using standard Email protocols (see also other viruses that send infected messages via Email: "Win.RedTeam", "Macro.Word97.Antimarc", "Macro.Word.Innuendo", "Macro.Word.ShareFun").

Depending on the random counter the virus calls its second Internet-accessing routine. This time the virus does not spreads its copies, but just looks for the DialUp database and sends to virus' author.

The virus code contains author's "copyrights":

- Parvo BioCoded by GriYo / 29A - Win32 Tech Support by Jacky Qwerty / 29A
- Thanks to Darkman / 29A and b0z0 / Ikx for their ideas and strategy
- Parvo is a research speciment, do not distribute
- c1999 29A Labs ... We create life -

Many virus routines (infection, polymorphic) have the same features like the "Win95.Marburg" virus has. The virus writes itself to the end of last file section; does not modify PE entry address but patches the original program's entry code with JMP_Virus instruction, or with a block of junk code that at the end passes the control to virus code; e.t.c.

When the virus takes control, the polymorphic decryption loop and additional lite decryption routine restore the virus code and pass the control to the main virus routine.

The virus protects its code by using CRC method. It calculates the CRC of its code and exits, if the CRC is not correct. It seems that this feature is necessary for the virus because it sends infected files via the Internet, so the CRC checking prevents corrupted copies execution.

The virus then scans Windows kernel and looks for file accessing, searching, and other API functions that are used by the virus. While looking for API functions the virus does not uses their names, but checksums. To find necessary string in Windows kernel the virus just calculates their CRCs one-by-one and compares the results with a table of pre-calculated values that are saved in virus code.

To infect files on the disk the virus looks for them in current, Windows and Windows system directories. The virus also affects the files in directories, that contain the installed Internet browser and Email reader. The virus gets these directories names from the System Registry.

The virus does not infect all files that are found, but only files with specific names: IEXPLORE.EXE, INSTALL.EXE, NETSCAPE.EXE, NOTEPAD.EXE, SETUP.EXE, WINZIP32.EXE, and some other. To compare file names the virus also uses the checksum method as while looking for API functions.

To return control to the host program the virus creates its copy with a random selected name, disinfects and executes it. The virus then waits for host file exiting, so the virus code stays in memory up to the moment the host program terminates. Although the virus code may stay in the memory for a long time, the virus is not memory resident. It does not hook any system events and does not intercept file opening/execution to infect them.

To send infected files to the Internet the virus connects the Internet by using standard Windows functions, gets a random selected Email address, send a hoax message to it and attaches to the message the infected EXE dropper (see the text of messages below). To get a victim Email address the virus goes to several newsgroups, reads random selected message and looks for FROM string in there. When this ID text is found, the virus uses followed address to send the infected message.

The infected file name is selected from three possible variants: MSEFIXI.EXE, LSERIAL.EXE or HOTEENS.EXE. The messages (including headers) are also selected from three variants:

Message 1 -------------------------------------------------------------

mail from: from: rcpt to: randomly selected address to: randomly selected address Subject: Present security risk using Microsoft Internet Explorer and Outlook Express

A new and dangerous virus has hit the Internet.


When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email to execute arbitrary code automaticly on the client workstation, thus infecting the machine.

Microsoft has been aware of this problem from the very beginning and presents here a patch for the two of our products in which it exploits.

Outlook 98 on Windows � 95, Windows 98 and Microsoft Windows NT � 4.0 Outlook Express 4.0, 4.01 (including 4.01 with Service Pack 1) on Windows 95, Windows 98 and Windows NT 4.0 Netscape Mail Clients


Customers using this products for Windows 95, Windows 98 or Windows NT 4.0 should execute the attached patch or download an updated patch from:

Please patch your computer(s) as soon as possible and help us fight this threat to the Internet.

Thank for your time.

Microsoft Support

Message 2 -------------------------------------------------------------

mail from: from: rcpt to: randomly selected address to: randomly selected address Subject: New and even larger serial number list out now!


Do you need a serial number for a unregistrated program of yours?

Do you feel like you have looked for it everywhere?

Even in the newest version of Phrozen Crews Oscar?

If you can answer -yes- to some of the above questions and are still looking for a serial number, this might be the program you have been waiting for.

We have collected serial numbers for many years and are now proud to release the very first version of our serial number collection, which contains more than 15.000 serial numbers.

Attached to this message is the very first version of our serial number collection.

Yours, Serial number collectors

Message 3 -------------------------------------------------------------

mail from: from: rcpt to: randomly selected address to: randomly selected address Subject: New and 100% free XXX site

Dear potential customer,

We have just opened a new erotic site with more than 10.000 .JPGs and more than 1.000 .MPG/.VIV/.AVI/.MOV/etc.

We offer you the opportunity of a lifetime, we are giving away a months access, without being charged, to our new site in exchange for your opinion.

All you have to do is execute the attached advert, which will generate your personal User ID, you dont even have to provide information as your personal credit card number, etc.

And if you like our site, please tell all your friends about us.

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.