Virus Database

Hatev.524

Description Hatev.524

It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus does not manifest itself. It contains the text string:
THIS IS [HATE V1.0] VIRUS

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Banishing.2373

Description IRC-Worm.Banishing.2373

This is an mIRC worm combined with a memory resident parasitic stealth DOS virus. The DOS instance, when run, hooks INT 21h, and writes itself to the end of DOS COM and EXE files that are executed or opened. The virus is encrypted in COM and EXE files.
To spread its worm component via mIRC channels, it overwrites the SCRIPT.INI file in the C:MIRC directory with a set of instructions that send this SCRIPT.INI file to the channel upon file sending and receiving as well as to users that are leaving the channel. The worm does not send the infected DOS file to the channel, only to the SCRIPT.INI file.
The infected script also manifests itself with messages: when an infected client connects to a channel, it joins the "virus" channel and sends the following text there:
Will not the mountains quake and hills melt at the coming of the darkness?
Dark Banishing V1.0

If the text "virus" is found in the channel, the worm sends the same message to this channel.
The worm also contains the text strings:
Dark Banishing Version 1.0
Dark Banishing V1.0 By VxFaeRie

IRC-Worm.Blackout

Description IRC-Worm.Blackout
Blackout is an IRC worm spreading via IRC channels. The worm itself is a Word document and contains one macro called "Blackout".
Installing
When the worm is executed, it does the following: Adds the value "Level 1" to the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftOffice9.0WordSecurity

Blackput attempts to disable the Security menu item in the Macro menu and creates in the root directory of the C: disk a file called "blackout.vxd" in which it writes the source code.
Additionally this file is used to infect all Word documents in the directoryC:mydocu~1.
The worm creates the file C:Blackout.vbs and registers this file in the automatic launch string of the system registry:

HKEY_LOCAL_MACHINEMicrosoftWindowsCurrentVersionRun

Blackout adds the value ppacket by pickpacket to the registry key:
HKEY_LOCAL_MACHINESoftwareBlackout

Blackout copies itself to the C:Readme.txt.doc.
Spreading
Blackout searches for the "Mirc32.exe" file in the folders:
C:Mirc and C:Progra~1Mirc.
If the worm finds the "Mirc32.exe" file in these folders it attempts to overwrite the "Script.ini" file in the same folder(s). The "Script.ini" file is a short mIRC program that sends the C:Readme.txt.doc file to everybody who enters an infected channel.
Payload
If the hour is 0 or 23, the worm may use the Microsoft Office Assistant to display the following message:
W97M/Blackout
This goes out to the people in the power companies!!!

Blackout then changes the value to "NoClose" in the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

This hides the "Shut Down" menu item on the Start menu.

Home