Virus Database

HooDoo.2614

Description HooDoo.2614

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for EXE files, then writes itself to the end of the file. The virus does not infect some programs (anti-viruses?), searches for some files and corrupts them. If AVPTSR is installed, or under TurboDebugger, or on 21st of any month the virus displays the message and halts the computer:
HOODOO V1.0 (c)1995 by Infiltrator. Please register.

The virus also contains the text strings:
Antiviral
.. *.exe *.*

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Adrenaline

Description IRC-Worm.Adrenaline

This is a virus-worm that infects Windows systems and spreads via IRC channels. The worm itself is a Windows executable file, written in MS Visual C++ and compressed by PECompact (compressed size is about 35K, uncompressed size is about 65K).
When an infected file is run, it looks for EXE files in the Windows directory and infects them. While infecting, the virus moves the file body down by 35K, and then writes itself to the top of the file. To release control to host file, the virus "disinfects" the host file to HOSTFILE.EXE, spawns it and then deletes it. The virus pays attention to the file names and does not infect a file if its name begins with 'E', 'P', 'R', 'T', 'W', or 3rd letter is 'D', or 5th letter is 'R'.
The virus also infects EXE files in the C:MIRCDOWNLOAD directory, without paying attention to file names.
To spread via IRC channels, the virus drops its "pure" image to the Windows system directory with the BUGFIX.EXE name, and overwrites the SCRIPT.INI file in the mIRC client directory. The infected SCRIPT.INI file contains just one instruction that sends the BUGFIX.EXE file to everybody joining the infected IRC channel.
The virus looks for the mIRC client in directories MIRC and PROGRA~1MIRC on all drives from C: to F:.
The virus then runs another routine that sends messages by using MS Outlook. The virus does not spread itself in infected messages, but just spams the address "Rhape79@ultimatechaos.demon.co.uk" with messages that have a randomly generated Subject and Body. Upon each run, the virus sends 15 messages to that address.

IRC-Worm.Anumps

Description IRC-Worm.Anumps

This worm spreads via IRC channels and infects MS Word documents. The virus itself is a Word document containing a macro named Mumps.
Installation
When opened, the file will:
attempt to disable the Security menu in the Macro menu
disable the ban on activating macros in the Windows system registry
create a file named Mumps.drv in C:Windows directory and writes the code of the macro to this file. This file is then used to infect all open Word documents
save the active document to the hard drive under the following names:
C:WindowsFAQ.doc
C:Program FilesMicrosoft OfficeOfficeSTARTUPMumps.dot
commences propagation via IRC.
Propagation via IRC
The worm modifies a file named script.ini file. This means the file C:WindowsFAQ.doc will automatically be sent to all users of the channel used by the infected computer.
Signs of infection
When the user tries to open the HelpAbout menu, the worm changes the background colour of the document to dark blue. Letters will appear in white. It also open notepad.exe displaying the following text:
"Windows has low memory resources. Please restart your Windowsall.."
If the user tries to print the current document and the system clock is showing 59 seconds, a Message Box with the following text will be displayed:
"Your printer driver is not compatible with Windows. Please install another printer drivers."
If the user tries to view the code of the Macros or open the ToolsMacro menu, a Message Box with the following text will be displayed:
"There is something a trouble with this function..."
Other
The worm attempts to register C:WindowsFAQ.doc in the system registry as the default signature for Microsoft Outlook 5.0. The file will then automatically be added to all outgoing mail.

Home