Virus Database

Face.2844

Description Face.2844

This is a relatively harmless, memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .COM and .EXE files that are executed. On the 4th of any month, the virus creates two files with names that appear as follows:
o o
T___T

The virus then plays music and displays the messages:
Hej ludziu! Moj Autur ma urodziny pozwol wiec, ze:
RESET TERAZ TO STRATA DANYCH NA ZAWLSZE
Szyfrowanie tablicy FAT
Blokada glowic
Zwarcie baterii CMOS
Teraz spokoj !
I lepiej nic nie ruszaj
Dlugo bedziemy sie tak mierzyc osle ?
Jestes niezdecydowany ?
Idz do mamy !
Powiedzialbys cosall
No,no! Tylko nie ku*wa !
I wylacz NumLock bo prad zre
I co pekasz ! Jestem niegrozny
Mam przeciez serce.
Chcesz zobaczyc ?
Kutasika tez mam. Pedal ?
A teraz nacisnij dowolny wcisk...
bym zaczal formatowac dysk.
To juz koniec.
Na przylosc przytrzymaj ESC, zeby przebiec szybko te texty
PS. Jak masz szczescie to nie bedziesz mial dzis klopotow z windows (tfu...),
bo moze sie z mojego powodu nie uruchomia.
Niestety nie jest to regula; ku rozpaczy gawiedzi

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Spam.Brief

Description I-Worm.Spam.Brief
Spam.Brief is a worm virus spreading via the Internet as an attachment to infected emails. It is written in Visual Basic Script (VBS).
To send out messages the virus uses MS Outlook and sends messages to all addresses found in a victim machine's Outlook address book. The messages sent by the worm have the following subject:
here comes the subject
Message body text:
here comes the body
Attachment name:
virus.bat
Spreading
The virus spreads only when the file virus.bat appears in the root directory on drive C:. Thus the enclosed file will not work if the operating system tries to process it as a BAT-file.
Other versions
The virus is written in Visual Basic Script (VBS). To send out messages the virus uses MS Outlook to send infected messages to all addresses found in the Outlook address book. These messages sent by the trojan have the following subject:
Nice couple
Message body text:
They want to meet you. http://briefcase.yahoo.com/youngwifedawn
The message itself does not contain an attached copy of the trojan.

I-Worm.SSIWG

Description I-Worm.SSIWG

This is "LoveLetter" -like Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The known worm version has a mistake (one instruction is mistyped), and the worm is not able to spread its copies via e-mail messages. In addition to this, the mistake may be easily fixed, and the worm will be able to spread.
The worm is able to propagate through a local network. To do this, the worm enumerates network resources and copies itself to there. The worm is not able to activate itself on a remote computer, and infects it only in case the worm copy is occasionally run by a user.
The worm itself is a VBS script program.
The worm arrives as an e-mail message with:
Subject: I'am missing U
Message body: Could u remember me ?
Attachment name: Y072QWV.VBS
Upon being activated by a user, the worm copies itself to the Windows system directory with the same name (Y072QWV.VBS) and registers this copy in the auto-run section in the system registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"Y072QWV" = %Windir%Y072QWV.VBS
where "Windir" is the name of Windows system directory.
The worm then spreads through a local network by copying its "Y072QWV.VBS" file to the root directory on drives shared for writing.
To send infected messages, the worm connects to MS Outlook, obtains all addresses from the address book and sends to there its messages (the subject, body and attachment name are the same as listed above).
Because the worm registers itself in the auto-run registry section, it is activated upon each Windows boot-up, but it does not spread by e-mail messages each time it is run. The worm has a counter that is stored in the Windows registry:
HKEY_LOCAL_MACHINE "Y072QWV" = number
where "number" is the number of starts (upon each start, the worm increases this counter). When the counter reaches 20, the worm resets it to zero and then runs an Outlook infection routine. Otherwise, the worm skips it.
As a result, the worm sends infected messages only upon the first run (being activated from an infected message), and upon each 20th reboot. The local network spreading routine is activated each time the worm starts.
The worm has a feature that makes its detection a little bit more difficult. All text strings in the worm code are slightly encrypted, and in case of need, the worm decrypts and uses them.

Home