I-Worm.Amus.a
Description I-Worm.Amus.a
Amus is an Internet worm that spreads in email attachments. It is a Windows PE exe file, written in Visual Basic and packed by Yoda. The compressed file size is about 50 KB. Amus is activated only if users double click on the attachment. Installation After being launched, Amus: Creates a unique identifier named 'Masum' Attempts to activate ISpeechVoice.Speak and play the following soundtrack: How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule. Amus then copies itself into the root directory of the C drive under the name masum.exe and into the Windows folder under the following names: Adapazari.exe Ankara.exe Anti_Virus.exe Cekirge.exe KdzEregli.exe Messenger.exe Meydanbasi.exe My_Pictures.exe Pide.exe Pire.exe The worm registers the file KdzEregli.exe in the following Windows auto run system registry key: [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "Microzoft_Ofiz"="%WINDIR%KdzEregli.exe" Moreover, Amus creates the following system registry key: [HKCUSOFTWAREMicrosoftMasumWho] "Who"="OnEmLi_DeGiL" Propagation by email Amus uses MS Outlook to send copies of itself to all recipients listed in the address book. Infected emails Subject Listen and Smile Attachment name Masum.exe Body text Hey. I beg your pardon. You must listen. Amus does not spoof sender addresses and uses the real address of the infected machine. Other Amus is programmed to replace the home page URL in Internet Explorer on the 1, 6, 20 and 25 of each month with the following text: Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet. On the 2, 15 and 17 of each month Amus will attempt to delete all .ini firles in the Windows folder. While on the 10 and 23 of each month, the worm will attempt to delete all .dll files in the Windows folder.
Check other viruses! Be aware! Use Antiviral Software
Snow.a
Description Snow.a
It's a not dangerous memory resident stealth boot virus. It hooks INT 10h, 1Ch, 13h and writes itself into the MBR of hard drive and boot sector of the floppy disks. It encrypts the original boot and MBR sectors on infection. Sometimes it calls the video trigger routine that simulates falling snow. It contains the encrypted internal string: Snow
Sobakin.9592
Description Sobakin.9592
This is a dangerous memory resident {polymorphic:Poly}, {stealth:Stealth} parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are accessed. The virus doesn't infect files with names beginning with the following letters: DR, AV, TB, WE, F- The virus also restores the original INT 21h address. After infecting 255 files, the virus displays messages in Russian and waits until a key is pressed. After infecting 65,535 files, the virus erases CMOS memory, and erases hard-drive sectors and displays the following message: Triple L - long live lamer,LMD - lamer must die, R U ready 4 Hell? No,than say thanx 2: H(Cr)acker Shtirliz & Cyberpunk Dead One è â êîíöå ÿ õîòåë áû ñêàçàòü,÷òî êàæäûé íîâûé âèðü õîðîíèò ñ òàðóøêó DOS,è ýòî ãðóñòíîall. Is that illusion or reality? Cyber Culture 1998 The virus also contains the text strings: ã------------------------¬ ¦ Pirates Shadow Service ¦ L------------------------- ViRUS [Feudal] v1.oî AUTHORS Dead One & Shtirliz Feudal ][ coming soon... Keep CyberSpace Free ! Runtime error 204 at 0000:
|
Home
Viruses from A to Z 0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|