Virus Database

Gidra.469

Description Gidra.469

These are harmless not memory resident parasitic viruses. They search for .COM-files and write themselves to their ends. They contain the internal text string:
I'm GIDRA v1.6 : Life is Good, But Good Life Better Yet.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Calposa

Description I-Worm.Calposa
Calposa is a worm virus spreading via the Internet as an attachment to infected emails as well as through the Kazaa file sharing network. The worm itself is a Windows PE EXE file about 57KB in length and is written in Visual Basic.
The infected email messages have the following attributes:
Subject: Anti-Virus Programs are corrupting your Software!

Body:
Want to know why you get junk mail? Well Here is proof that AV's are corrupting your programs and Sell your Private information to Web Company's! Why do you think there are so much virus's out there? well its these Company's that spread them and then sell you there product to delete them! check it out nowall (p.s. its attatched)
Attach: ActiveX.exe, or Telnet.exe, or MSWord.exe
The worm activates from an infected email only when a user clicks on the attached file. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the system under the following names:
C:WindowsActiveX.exe
C:WindowsSCR.exe
C:WindowsExplorer.exe
C:WindowsTelnet.exe
C:WindowsMSWord.exe
C:WindowsFUCK_AVs.exe
C:Windows egedit.exe
C:WindowsMixer.exe
C:WINDOWSSystemExplorer.exe

The worm does not register any of these files neither in system registry auto-run key, nor in any else "auto-run" key or command.
Spreading: Email
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: Kazaa
The worm copies itself to the "C:Program FilesKaZaaMy Shared Folder" directory with following names:
norton_crack.exe
UT3_full_crack.exe
Windows_Hack.exe
Sims_Patch.exe

If this directory is a Kazaa file-sharing directory, the worm will spread over the Kazaa network.
Payload
The worm displays the message:
UH OH WORM!
... Calposa by Industry @ ANVXgroup ...

The worm writes to the "c:WindowsSystem.ini" file following data:
[About]
Author = Industry
VXgroup = ANVXgroup (Auxnet)
Virus = ANVX (WIN32.calposa@mm)
Shouts to = Indovirus, mANiAC89, Retro, Iwing, and every one else.
Fuck = Fuck all AV's, we keep you in a job so give us a bit of slack!
To the rest = ANVX the one and only!

On April 1st the worm deletes all files in following directories:
C:Windows C:WindowsSystem32 C:WindowsSystem C:Windowsinf C:Program FilesKazaa
then it deletes the file:
C:AutoExec.bat

and displays the message:
Industry ...ping? pong!...
On February 16th the worm displays a red colored picture with a text "ANVX by industry" on it.
On April 2nd the worm displays the message:
UH OH WORM! ... Second Release From Industry ...

I-Worm.Cervivec

Description I-Worm.Cervivec

Cervivec is an Internet worm virus spreading via the Internet as an email attachment.
The worm itself is a Windows PE EXE file about 230Kb in size, written in Delphi. It is compressed by UPX - the decompressed size is about 670Kb.
The infected messages have Subject/Body content randomly selected from different variants in different languages:
Vtip
Cau posilam ti cerviky tak se na to podivej (virus to neni)
Vtip
Cau posielam ti cerviky tak sa na to pozri (virus to neni)
Witz
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)
blague
J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)
ÉÇ×?
?Á³??×, ' ?-Ð ?Â×Í ?Á³?R'Í- Ð É×ÇÚ? ?ÁR?? Ú?Á?Ð? (Î×R -? ?³ÁÇÂ)
Joke
Hi, I have some cool joke - worms so have a look at it (no virus)
Zart
Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)
Chiste
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)
The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself into the system, runs its spreading and 'effect' routines (colored "worms" eating the desktop).

While installing itself the worm copies itself to the Windows directory and to the SYSTEM32 subdirectory with the name "ntkrnl.exe". It then registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Loader = %WindowsDir%system32 tkrnl.exe -LOADDRIVERS=TRUE

Home