Virus Database

Anarchy.666

Description Anarchy.666

This is a dangerous memory resident parasitic stealth virus. It hooks INT 21h and writes itself into COM and EXE files that are closed. On infection it writes itself into the middle of COM files (if there is the area with the bytes of constant value), or overwrites the file beginning (in that case it writes the original file beginning at the free space in the disk cluster, see "Beast" virus). On infection it uses very complex method of accessing to system undocumented functions. In some cases it corrupts the files on infection, these files are not recoverable and should be deleted.
This virus contains the internal text string:
[all]
ANARCHY
[...]

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Radex

Description IRC-Worm.Radex

This is a virus-worm that spreads via IRC channels. The worm itself is a batch-script file about 3 Kb in length.
The worm copies itself to the following batch files:
C:Windowswinstart.bat
C:WindowsLINUX_SH_DOS_BAT_WIN_JS.bat
C:Win95LINUX_SH_DOS_BAT_WIN_JS.bat
C:Win98LINUX_SH_DOS_BAT_WIN_JS.bat
C:WinMELINUX_SH_DOS_BAT_WIN_JS.bat

The batch file drops and executes the JS file LINUX_SH_DOS_BAT_WIN_JS.JS. This JS file displays a dialogue window with the following Title/Subject:
Radix16/SMF
SH-BAT-JS


After this, the worm creates and sends the new e-mail message to the following address:
Radix16@atlas.cz
The infected messages contain the following:
Subject: SHBATJS
Body: crazzy bat :) testing MS OTLOOK in the (WORLD)
Attach: LINUX_SH_DOS_BAT_WIN_JS.bat

The virus-worm also creates the file C:MIRCSCRIPT.INI. This INI file sends the batch file to the IRC channels.
Installing
While installing, the worm copies its JS component to the Windows directory with the name C:WINDOWSLINUX_SH_DOS_BAT_WIN_JS.JS, and registers this file in the WIN.INI run section.
The worm also contains the following text strings:
# /bin/sh
-=LINUX START=-
-=DOS/WIN START=-
ONLY SAMPLE (TEST) LINUX SH DOS BAT WIN JS all........
WoRlD iS mY

IRC-Worm.Readme.1077

Description IRC-Worm.Readme.1077

This is an IRC worm spreading through IRC channels and using the mIRC client for spreading. The worm appears on a computer as the README.EXE DOS program. When this file is executed by a user, the virus installs itself resident into DOS memory and infects DOS COM files (except COMMAND.COM) that are executed. The virus is encrypted in infected files, and its code is placed at the end of files.
The virus also creates its "dropper" README.EXE on the C: drive (this file has a "hidden" attribute) and "registers" it in the C:AUTOEXEC.BAT in the very first lines: they contain an instruction to execute virus the dropper upon each rebooting.
To spread through mIRC channels, the virus searches for the C:INTERNETMIRCdirectory and creates a SCRIPT.INI file there that contains just one command for sending the README.EXE dropper to anybody joining the infected channel.
The worm contains the following text strings:
;-)x
whose name means dark matter vir-L

Home