Virus Database

EasyRider.2108

Description EasyRider.2108

It is not a dangerous memory resident stealth parasitic virus. It hooks INT 8 (timer), traces and hook INT 21h and writes itself to the end of COM and EXE files that are accessed. The virus infects files on floppy disks and network drives only. The only file on local computer is infected - it is the COMMAND.COM file.
The virus disinfects the COMMAND.COM on opening a file with names A-DINF-*.* (stealth). The virus also switch off its stealth function when the files are executed:
NDD, SCANDISK, CHKDSK, PKZIP, ARJ, LHA

The INT 8 handler periodically "shakes" the screen.
The virus contains the text strings:
[21st Century man]
Easy Rider ,Ni+eM/|re

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Lucky

Description IRC-Worm.Lucky

This is a IRC worm that spreads through the IRC channel using mIRC and PIRCH clients for spreading. The worm appears on a computer as the LK7.EXE Windows program about 500K in length. When this file is executed by a user, the worm installs itself into the system, copies the LK7.EXE to the C:WINDOWS directory, then searches for mIRC and PIRCH clients in current, C:MIRC, C:MIRC32, C:PIRCH98 directories, and modifies IRC scripts there.
The worm also installs the ""Backdoor.NetBus" Trojan to the system. To do this, the worm keeps the Trojan's code in its body, extracts it from there, copies to the C:WINDOWS directory with IRCPATCH.EXE name, and executes it.
The worm contains the "copyright" text:
LUCKY B.R.D 1994-99 [LK-7]all
To spread through mIRC channel the worm creates the new script file LK7.INI and sets a reference to this file in the mIRC system script file MIRC.INI. The worm's script intercepts a set of events and uses them to spread its copy to channels and manifest itself:
on a new user joining infected channel, or on files transfer the worm sends its copy (the C:WINDOWSLK7.EXE file) to this user.
if the text "leave!!!" appears in channel, the worm sends to the channel the message "Your will is my command" and leaves the channel.
on "LUCKY !!" text the worm sends to the channel the message "I am a Lamer !!" and changes affected user's nick to "Lamer".
on "Die!!!" text the worm reacts with the "Be sure, I will commit suicide now .. RIP" message and leaves chat.
on "virus" and "virii" strings the virus sends to the channel the text I am infected with [LK-7]..By LUCKY B.R.D 1994-99.Win32 VIRUS".
and so on.
To spread its copy to mIRC channels, the worm also modifies the system registry keys that are responsible for mIRC events, and in some events, the worm also sends its copy to channels.
To spread to PIRCH, the worm creates the new script file EVENTS.INI that contains a command that sends a worm copy to all users that enter the infected channel.
Variants
There are several known variants of the original worm. They are crippled (infect only the mIRC client, for instance) and do not install backdoor files. They spread as files with the names:
"Lucky.b": CLICK-IT.EXE
"Lucky.c": APPOLO.EXE

IRC-Worm.Mabra.a

Description IRC-Worm.Mabra.a

This is a silly IRC worm that spreads through IRC channels using mIRC client for spreading. The worm appears on a computer as the DOS EXE file with MABRA.EXE, CDMAN.EXE, or GLADYS.EXE filename (depending on the worm's version), and about 14K in file size. When this file is executed by a user, the worm copies itself into C:WINDOWS, C:WINDOWSSYSTEM or C:WINDOWSSYSTEM32 directory (depending on worm version), and overwrites the mIRC script file SCRIPT.INI in the C:MIRC directory. The new script sends the worm copy to any user that enters an infected channel.
Depending on the system time, the worm erases the C:WINDOWSWIN.COM file.

Home