Virus Database

I-Worm.Atirus

Description I-Worm.Atirus

This is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim's Outlook Address book.
When launched on a 'clean' PC, the worm copies itself to %SYSTEM%Setup30.exe. The worm also writes an auto-start key, so it will launch each time Windows starts:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Setup=%SYSTEM%Setup30.exe

Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time:
Monday: finds and removes I-Worm.Badtrans
Tuesday: restores default values in Win.ini:
[windows]
Run=
Load=

and sets the following registry key value:
HKCRexefileshellopencommand
Default value="%1" %*
Wednesday: finds and removes I-Worm.PrettyPark
Thursday: deletes the following files if they exist:
c:mircmirc.ini
c:mircscript.ini
c:mirc32mirc.ini
c:mirc32script.ini
c:ircmirc.ini
c:ircscript.ini
c:chatmirc.ini
c:chatscript.ini
c:progra~1mircmirc.ini
c:progra~1mircscript.ini
c:progra~1mirc32mirc.ini
c:progra~1mirc32script.ini
c:progra~1ircmirc.ini
c:progra~1ircscript.ini
Friday: finds and removes I-Worm.Sircam.c
Saturday: restores default values in System.ini:
[boot]
Shell=explorer.exe

Sunday: finds and deletes all files with a ".vbs" extension in %WINDOWS% and %SYSTEM% folders.
On September 16, displays the following message:
Antivirus

System protected by I-Worm.Antivirus
Copyright (c) 2001 by aLL3gRo

After executing the payload, the worm checks whether the following registry value is present:
HKLMSoftwareMicrosoftWindowsCurrentVersion Install=1
If the value doesn't exist, the worm tries to send itself to the senders of messages that exist in MAPI default client's folders.
The subject of the message sent is "New antivirus tool", and the message also contains the attachment "Antivirus.exe" that is the virus itself, and also contains in the body:
Hey, checkout this new antivirus tool which checks your system for viruses

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Hassle

Description Macro.Word.Hassle

This is a encrypted virus containing 7 macros:
NORMAL.DOT Infected files
AutoExec AutoClose
FileSaveAs ToolsMacro
ToolsMacro Microsoft01
Microsoft05 Microsoft02
Microsoft04 Microsoft03
Microsoft02 Microsoft04
Microsoft01 Microsoft05

It seems that the virus author used Microsoft ScanProt anti-virus macro scanner as a original code, and converted that utility to the "Hassle" virus. It was named after its internal variable Hassle.
This virus disables Tools/Macro menu - on accessing items of that menu, the virus displays the message box:
Windows Application Error
Out of Memory or System Resources

While infecting a system (on AutoClose) the virus with a probability of 1/20 displays:
Are you sure you wish to Quit

Macro.Word.Header

Description Macro.Word.Header

This virus contains 3 macros:
Documents NORMAL.DOT
AutoOpen ao
fs FileSave
fsa FileSaveAs

The virus infects the system area on opening an infected document (AutoOpen). It infects documents that are saved (FileSave) or saved with new name (FileSaveAs). The virus checks its presence by using document's Header, in which it writes the text:
Your document was infected by a very dangerous virus!

Home