Virus Database

HLLP.Irok

Description HLLP.Irok

This is a very dangerous, non-memory resident parasitic virus. The virus code itself is a DOS EXE program written in high-level language, encrypted and compressed. The virus infects DOS COM and EXE files, as well as Windows EXE files (in the same way - see below), and also has abilities to spread its copies via IRC channels and attached to e-mails.
When an infected file is run, the virus scans directories listed in PATH, looks for COM and EXE files in there, and infects them. While infecting a file, the virus moves the file header to the file end, encrypts it and overwrites the file header with virus code. To return control to an infected program, the virus temporarily disinfects it and spawns. As a result of this infection method, the virus is able to infect EXE files of any type - DOS, Win16 and Win32.
To spread itself to mIRC channels, the virus creates a SCRIPT.INI file in the MIRC directory and writes a set of commands to there. These commands send an infected file to each user, who joins the infected channel. The virus also checks messages in the channel, and the word "irok" is found in a message, the virus sends to the channel the following text:
My computer is 0wned by IRoK v1.1
To send infected messages, the virus creates the IROKRUN.VBS file in the Windows start-up directory and writes a VBS program to there. This program gains access to MS Outlook, opens the address book and sends up to 60 messages by using addresses that are listed in there. The infected message has the following Subject and message body:
Subject: I thought you might like to see this.
Body I thought you might like this. I got it from paramount
pictures website. It's a startrek screen saver.
The virus is attached as DOS EXE file with the IROK.EXE name.
The virus deletes the following anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, VS.VSN, IVB.NTZ.
Depending on some conditions, the virus corrupts disk files and plays the message:
Some say the end is near. Some say we'll see Armageddon
soon. I certainly hope we will. The only way to fix it is
to flush it all away. Any fucking joint, any fuckin Day.
Fuck all these gun toting hip gangster wannabes. Fuck your
tattoes, fuck all you junkies and your short memory. I'm
praying for rain, I'm prayin for tidal waves. I wanna see
the ground give way. I wanna watch it all go down. Mah
please flush it all away, I wanna see it go riding down. I
wanna see it go riding. Watch you flush it all away.
Where do bad folks go when they die? They don't goto heaven
where the angels fly. They goto a lake of fire and fry. See
em again till the 4th of July. People cry and people moan.
look for a dry place to call their own, look for a dry place
to rest there bones.

Thanks for reading the text above, I've had enough time to
remove the contents of your hard disk for you. :-)

IRoK v1.1 - RaiD/SLAM[2000]
The virus also contains the text strings:
IRoK v1.1 is initializingall
Hey You! <----------- >>> Push enter stupid!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Aliz

Description I-Worm.Aliz

This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in Assembler. The main worm code is compressed by a built-in aPLib data compression algorithm, so the original worm code is about 6Kb.
The infected messages contain:
Subject: different (see below)
Body: empty HTML message
Attach: whatever.exe

The Subject is randomly constructed from variants (str1 + str2 + all + str5):
str1
----

Fw:
Fw: Re:

then:

str2 str3 str4 str5
---- ---- ---- ----

Cool website to check !!
Nice site for you !
Hot pics i found :-)
some urls to see ?!
Funny pictures here hehe ;-)
weird stuff - check it
funky mp3s
great shit
Interesting music
many info

To run from an infected message, the worm uses a security breach (IFRAME vulnerability, similar to the one used by the "Nimda" worm). So the worm may be activated from infected e-mail simply upon reading or previewing the message.
When an infected file is run, the unpacking routine takes control, unpacks the main worm code into the memory and jumps to it. The main code then sends infected messages to e-mail addresses found in WAB (Windows Address Book). To send e-mails, the worm connects to default the SMTP server.
The worm does not install itself to the system and is not activated anymore (except cases when a user clicks on an attached e-mail again).
The worm has no payload routine and does not manifest itself in any way.
The e-mail spreading routine contains weak mistakes, and it seems the worm is not able to spread under many e-mail client-server configurations.
The most interesting thing about worm is the fact that the activating-and-spreading routine (this is the main routine) is full in just about 3K of executable code.
The worm contains the following text:
:::iworm.alizee.by.mar00n!ikx2oo1:::
while typing this text i realize this text got added on many av description sites, because this silly worm could be easily a hype. i wonder which av claims '[companyname] stopped high risk worm before it could escape!' or shit like that. heh, or they boycot my virus because of this text. well, it is easy enough for the poor av's to add this worm; since it was only released as source in coderz#2... btw, loveletter*2 power in pure win32asm and only a 4k exe file. heh, vbs kiddies, phear win32asm. :) thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx, t-2000!ir, ultras!mtx & sweet gigabyte...btw,burgemeester van sneek: ik zoek nog een baantje...(alignmentfillingtext)

I-Worm.Amus.a

Description I-Worm.Amus.a

Amus is an Internet worm that spreads in email attachments. It is a Windows PE exe file, written in Visual Basic and packed by Yoda. The compressed file size is about 50 KB.
Amus is activated only if users double click on the attachment.
Installation
After being launched, Amus:
Creates a unique identifier named 'Masum'
Attempts to activate ISpeechVoice.Speak and play the following soundtrack:
How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.
Amus then copies itself into the root directory of the C drive under the name masum.exe and into the Windows folder under the following names:
Adapazari.exe
Ankara.exe
Anti_Virus.exe
Cekirge.exe
KdzEregli.exe
Messenger.exe
Meydanbasi.exe
My_Pictures.exe
Pide.exe
Pire.exe
The worm registers the file KdzEregli.exe in the following Windows auto run system registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Microzoft_Ofiz"="%WINDIR%KdzEregli.exe"
Moreover, Amus creates the following system registry key:
[HKCUSOFTWAREMicrosoftMasumWho]
"Who"="OnEmLi_DeGiL"
Propagation by email
Amus uses MS Outlook to send copies of itself to all recipients listed in the address book.
Infected emails
Subject
Listen and Smile
Attachment name
Masum.exe
Body text
Hey. I beg your pardon. You must listen.
Amus does not spoof sender addresses and uses the real address of the infected machine.
Other
Amus is programmed to replace the home page URL in Internet Explorer on the 1, 6, 20 and 25 of each month with the following text:
Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet.
On the 2, 15 and 17 of each month Amus will attempt to delete all .ini firles in the Windows folder.
While on the 10 and 23 of each month, the worm will attempt to delete all .dll files in the Windows folder.

Home