Spyware

W95/Dupator is a memory-resident, nondestructive virus designed to infect Windows system. W95/Dupator becomes active in memory by infecting the Windows system file kernel32.dll. Once it is executed, W95/Dupator searches for kernel32.dll in the Windows system folder and copies the infected file into the Windows folder. This allows W95/Dupator to load at stat up and stay memory resident.

Dumaru is a file infector and a mass-mailing worm, which tries to cover itself as a security patch coming from Microsoft. Once it is executed, Dumaru will drop an IRC-controlled backdoor component to the infected system. In addition, Dumaru searches for email addresses on all drives recursively in files and then sends its copies to all found addresses. Dumaru uses its own SMTP engine to send emails with infected attachments.

W32/Deloder is a worm that spreads via network shares, which are protected by weak passwords. As such, infected networks will see an increase in traffic on TCP port 445. W32/Deloder requires Windows2K/XP in order to spread. Computers compromised by W32/Deloder have an additional backdoor which is typically used for network administration. This tool allows the attacker to remotely control the compromised system or spy on every single keystroke. W32/Deloder installs the administration tool with the same password for all systems so that amateur attackers can utilize these compromised systems.

W32/Deborm is a network worm, which has many worm variants that drop different backdoors and different Trojans to infected systems. Once W32/Deborm gains access to a LAN, it will spread to all the machines that it can find and which have writable file shares without a password or with an easily guessable password.

W32/CTX is a worm that will be received in an e-mail as an attachment called SETUP.EXE. The icon for the file looks just like a standard Windows icon, except for the color. The message within the e-mail is a simple smiley ":)". While W32/CTX is in memory, it will scan all of the following file types for potential victims by picking out e-mail addresses: DBX, EML, HTM, HTML, IEX, MBX, NCH, TXT. W32/CTX uses several techniques designed to evade detection by anti-virus software products.

W97M/ColdApe is a macro virus that combines VBS virus and Visual Basic for Application virus techniques. W97M/ColdApe is also one of the first viruses that use the "AddFromString" method to infect documents. Once it is executed, W97M/ColdApe will perform the check for the presence of the comment "AVM" in the Normal Template. If this does not exist, W97M/ColdApe will infect the GlobalTemplate (usually Normal.dot) in the "ThisDocument" stream, thus, all documents that are opened will be infected with this virus.