Virus Database

Eka.4096

Description Eka.4096

It is not a dangerous memory resident parasitic virus. It hooks INT 10h, 17h, 21h and writes itself to the end of COM and EXE files. To infect files the virus intercepts file execution, then search for files and infects them. Depending on its internal counter the virus changes characters that are printed. Depending on the system conditions the virus displays the picture:
+--------------------------+
| Beware of the 'Virus |
| xxxxx X xx xxxxx |
| xxxx Xxx xxxxx |
| xxxx x x x x |
+--------------------------+

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Pron.576

Description IRC-Worm.Pron.576

This is an IRC worm that spreads through IRC channels using mIRC client for spreading. The worm is encrypted and has a very short size - just about 600 bytes, and appears as the PR0N.BAT file. When this file is executed on a computer, it copies itself with the PR0N.COM file and executes it as a DOS program. The worm code is built so that it can be executed as a DOS COM file as well as a DOS Batch, so the main worm routine (as a COM program) gains control and installs the worm into the system.
To infect the system, the worm uses a very silly way: it just copies its BAT file with the same name to the Windows system directory by using its direct name C:WINDOWSSYSTEM. If Windows is installed in any other directory, the worm fails to install itself. The worm then creates the WINSTART.BAT file and overwrites its with worm's code.
To spread itself via IRC channels, the worm overwrites SCRIPT.INI in the mIRC directory. The worm searches for this directory by four variants:
C:MIRC
C:MIRC32
C:PROGRA~1MIRC
C:PROGRA~1MIRC32

The worm's script is very short and just sends the worm's BAT file to all users joining an infected channel.
The worm also contains the "copyright" text:
IRC-pr0n.bat v1.0 (c) nUcLeii 1999

IRC-Worm.Radex

Description IRC-Worm.Radex

This is a virus-worm that spreads via IRC channels. The worm itself is a batch-script file about 3 Kb in length.
The worm copies itself to the following batch files:
C:Windowswinstart.bat
C:WindowsLINUX_SH_DOS_BAT_WIN_JS.bat
C:Win95LINUX_SH_DOS_BAT_WIN_JS.bat
C:Win98LINUX_SH_DOS_BAT_WIN_JS.bat
C:WinMELINUX_SH_DOS_BAT_WIN_JS.bat

The batch file drops and executes the JS file LINUX_SH_DOS_BAT_WIN_JS.JS. This JS file displays a dialogue window with the following Title/Subject:
Radix16/SMF
SH-BAT-JS


After this, the worm creates and sends the new e-mail message to the following address:
Radix16@atlas.cz
The infected messages contain the following:
Subject: SHBATJS
Body: crazzy bat :) testing MS OTLOOK in the (WORLD)
Attach: LINUX_SH_DOS_BAT_WIN_JS.bat

The virus-worm also creates the file C:MIRCSCRIPT.INI. This INI file sends the batch file to the IRC channels.
Installing
While installing, the worm copies its JS component to the Windows directory with the name C:WINDOWSLINUX_SH_DOS_BAT_WIN_JS.JS, and registers this file in the WIN.INI run section.
The worm also contains the following text strings:
# /bin/sh
-=LINUX START=-
-=DOS/WIN START=-
ONLY SAMPLE (TEST) LINUX SH DOS BAT WIN JS all........
WoRlD iS mY

Home