Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Worm

Worms spread on computer networks via network resources. Unlike Net-Worms, a user must launch a Worm in order for it to be activated. This kind of worm searches remote computer networks and copies itself to directories that are read/write accessible (if it finds any). Furthermore, these worms either use built-in operating system functions to search for accessible network directories and/or they randomly search for computers on the Internet, connect to them, and attempt to gain full access to the disks of these computers. This category also covers those worms which, for one reason or another, do not fit into any of the other categories defined above (e.g. worms for mobile devices).

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

This is a very dangerous Win32 virus-worm. The virus itself is Windows PE EXE file about 23Kb in length (compressed by UPX, with a decompressed size about 52K), and written in Microsoft Visual C++. It spreads via the local network, and infects Win32 EXE applications (PE EXE files) there. While infecting, the virus moves a file beginning to the file end, then writes itself to the beginning of the file. As a result, when an infected file is started, the virus code takes control.

The virus uses Win9x specific calls, and can work on Win9x machines only. Because of its network "nature," the virus may infect files on NT machines, but they can't be run in there.

Virus Routines

When an infected file is run, the virus obtains its code from an infected host file and drops it to the Windows system directory with the DDRAW32.DLL name (this file is a Win32 PE application with a "pure" virus code). The virus then spawns this "pure code" DLL file, disinfects a host file and spawns it, returning control to the host program.

If an error occurs above, the virus displays a "Fatal error" message.

When run, the DDRAW32.DLL virus file activates the main virus routines. There are four:

1. Registry routine. This one creates a Registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce = %SystemDir%DDRAW32.DLL

If a REGEDIT application is run, this routine temporarily removes this key, thus realizing the "stealth" mechanism.

2. Network infecting routine. This one sleeps for about four minutes, then it enumerates network resources (shared drives), then infects files in there. While infecting a shared drive, the virus first checks whether it is write-enabled. In the case where the drive is shared for full access, the worm starts the Win32 file-infecting routine on that drive. This routine scans all directories on the drive, and infects PE EXE files there.

If a drive is mapped for limited access, the virus tries to login with the "guest" name and with different passwords. It seems that the virus tries to guess the true password, and then starts the infecting routine if log-in is successful.

The virus also tries to gain access to a remote machine in four ways: to get access to this machine "as-is", then tries to get through hidden admin shares C$ , D$ and E$

3. This is a payload routine. The infected machines first store the run time and date in the system registry (see below). Depending on the time interval from the first run, they activate the payload routine that terminates active processes according to the following list:

Msgsrv32, Mprexe, Explorer, Taskmon, Internat, Systray, Mmtask, ddraw32

They then extract, from the virus code, the "Win95.CIH" virus to RUN.EXE file, and execute it. The "Win95.CIH" destruction routine is patched so that it is immediately executed. As a result, CIH's Flash BIOS and FAT destruction routines are immediately activated.

4. Networking. This routine listens to all already-infected machines in the network. At the same time, if the payload routine is activated, the virus-networking routine sends a special "payload now" message to all other infected machines. As a result, when any infected machine accesses the payload, all other machines in the local network receive a "payload now" message, and start the payload. So, all infected machines in the network are crashed at the same moment.


In addition to its Registry stealth routine, the virus also hides its DDRAW32.DLL file. To do this, it hooks memory-process searching functions, and returns a "no process" message in the case an infected process is being searched.


The virus alters the following registry keys:



The virus also contains the text string:


Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.