Virus Database

Hiperion.154

Description Hiperion.154

These are harmless memory resident parasitic viruses. When an infected file is executed, the viruses copy themselves into DOS data area at address 0060:0000 and hook INT 21h. Then they write themselves to the end of .COM files that are executed or loaded as overlays. "Hiperion.249" contains the text string "C:COMMAND.COM" and infects this file while installing into the memory.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Fintas

Description I-Worm.Fintas

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.
The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.
Installing
While installing, the worm copies itself:
to the Windows directory, Windows system directory and C: drive root - with the `.EXE name to the Windows TEMP directory - with a name that depends on the worm version:
FF8.EXE
FunnyFlash.EXE

The C:`.EXE file is then registered in the system registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices 723 = c:`.exe
and in the Windows SYSTEM.INI file, [boot] section, in the "shell" auto-run command.
Spreading
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Subject, Body and Attachment name are different in the known worm versions:
Subject/Body/Attach:
Microsoft Shockwave Flash Movie
Check "Family.exe" then you could see Microsoft family's Shockwave Flash Movie
FamilyMovie.exe

CoolGame From %UserName%
the cool game about Final Fantasy VIII :)
FF8.EXE

FunnyFlashMovie From %UserName%
the flash movie,check it !:)
FunnyFlash.EXE

where %UserName% is the Name of the affected machine.
Fintas.a
The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm's copy to the J: network drive (if it exists).
The worm then creates and spawns two VBS files: "c:passwd.vbs" and "c:leo.vbs", and then displays the following message:

The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:
Hi! I am LEO
The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the "leotam888@china.com" e-mail with a "mypasswd" subject.
Payload - other versions
On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.
Then the worm displays the message:

I-Worm.FireBurn

Description I-Worm.FireBurn

This is an Internet worm that spreads as a VBS file attached to e-mail messages. To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
When the worm file is activated (by double clicking on the attached file in infected messages, or being accepted as an IRC download), it installs itself into the system by copying its code to the Windows directory with the RUNDLL32.VBS name and registering it in the auto-run section in the Windows registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
MSrundll32 = rundll32.vbs
As a result, the worm then activates each time Windows starts up.
E-mail messages
While mailing its copies, the worm connects to MS Outlook, gains access to the address book and sends its copies to all addresses listed in there. Depending on system configuration, the message has a different Subject and Body. Under the German Windows version, the message appears as follows:
Subject: Moin, alles klar?
Body: Hi, wie geht's dir?
Guck dir mal das Photo im Anhang an, ist echt geil ;)
bye, bis dann..
Under non-German Windows:
Subject: Hi, how are you?
Body: Hi, look at that nice Pic attached !
Watching it is a must ;)
cu laterall
The attached file name is randomly selected from eight variants:
Ultra-Hardcore-Bondage.JPG.vbs
Christina__NUDE!!!.JPG.vbs
CuteJany__BigTits!.GIF.vbs
MyGirlfriend__NUDE!.JPG.vbs
Aguiliera__NUDE!!.JPG.vbs
!Jany__Gets-fucked!.GIF.vbs
cute__EmmaPeel!!!.JPG.vbs
Julie17__xxx.GIF.vbs
A copy of worm with the same (randomly selected) name is also created in the Windows directory (exactly this copy is attached to infected messages).
IRC infection
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). The worm looks for a C:MIRC directory as well as for an MIRC directory in "Program Files". If mIRC is installed, the worm drops a new SCRIPT.INI file to there. This file contains a set of instructions that sends the worm file to everybody who enters an infected channel.
The mIRC script also:
temporarily moves the worm's RUNDLL32.VBS file from Windows to the Windows system directory with one of the random names listed above (upon disconnecting from the IRC channel, it moves the VBS file back to the Windows directory with the same RUNDLL32.VBS name)
sends the message "Burn, Burn, Burn :)" to a "virus" conference;
hides virus-like messages in the current conference (ignores messages that contain any of the words: "script", "virus", "worm")
upon text "die lamer" in chat, the script quits the channel with the message "I'll commit suicide! R.I.P"
upon text "fire", displays the text "Burn Burn Burn :)"
Payload routine
The payload routine is activated on June 20th. It displays the following message:
FireburN
I'm proud to say that you are infected by FireburN !
and disables the keyboard and mouse by modifying the following two system-registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up = "rundll32 mouse,disable"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Shut_Up2 = "rundll32 keyboard,disable"
Misc
The worm also changes the "Registered Owner" field in "MyComputer/Properties", the new value is "FireburN". This is done by modifying the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RegisteredOwner = FireburN
The worm code also contains the "copyright" text:
VBS.FIREBURN.A -- mIRC/Outlook worm coded by fireburn
Polymorphic: Changing the actual filename on each start...
greets: to all members of 'UnCreativeLabs'

Home