Virus Database

I-Worm.Calposa

Description I-Worm.Calposa
Calposa is a worm virus spreading via the Internet as an attachment to infected emails as well as through the Kazaa file sharing network. The worm itself is a Windows PE EXE file about 57KB in length and is written in Visual Basic.
The infected email messages have the following attributes:
Subject: Anti-Virus Programs are corrupting your Software!

Body:
Want to know why you get junk mail? Well Here is proof that AV's are corrupting your programs and Sell your Private information to Web Company's! Why do you think there are so much virus's out there? well its these Company's that spread them and then sell you there product to delete them! check it out nowall (p.s. its attatched)
Attach: ActiveX.exe, or Telnet.exe, or MSWord.exe
The worm activates from an infected email only when a user clicks on the attached file. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the system under the following names:
C:WindowsActiveX.exe
C:WindowsSCR.exe
C:WindowsExplorer.exe
C:WindowsTelnet.exe
C:WindowsMSWord.exe
C:WindowsFUCK_AVs.exe
C:Windows egedit.exe
C:WindowsMixer.exe
C:WINDOWSSystemExplorer.exe

The worm does not register any of these files neither in system registry auto-run key, nor in any else "auto-run" key or command.
Spreading: Email
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: Kazaa
The worm copies itself to the "C:Program FilesKaZaaMy Shared Folder" directory with following names:
norton_crack.exe
UT3_full_crack.exe
Windows_Hack.exe
Sims_Patch.exe

If this directory is a Kazaa file-sharing directory, the worm will spread over the Kazaa network.
Payload
The worm displays the message:
UH OH WORM!
... Calposa by Industry @ ANVXgroup ...

The worm writes to the "c:WindowsSystem.ini" file following data:
[About]
Author = Industry
VXgroup = ANVXgroup (Auxnet)
Virus = ANVX (WIN32.calposa@mm)
Shouts to = Indovirus, mANiAC89, Retro, Iwing, and every one else.
Fuck = Fuck all AV's, we keep you in a job so give us a bit of slack!
To the rest = ANVX the one and only!

On April 1st the worm deletes all files in following directories:
C:Windows C:WindowsSystem32 C:WindowsSystem C:Windowsinf C:Program FilesKazaa
then it deletes the file:
C:AutoExec.bat

and displays the message:
Industry ...ping? pong!...
On February 16th the worm displays a red colored picture with a text "ANVX by industry" on it.
On April 2nd the worm displays the message:
UH OH WORM! ... Second Release From Industry ...

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.NPad

Description Macro.Word.NPad

It is an encrypted virus. It contains only one macro AutoOpen and infects the global area / documents on opening an infected file / document.
The virus creates the profile section (WIN.INI file):
[NPad328]
Compatibility=

and saves its counter in there. On any infection the virus increases that counter. When the counter reaches 23, the virus moves the string at the status bar line:
D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia

The virus also has commented strings:
D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia
Macro MsWord virus, multiplatform, multi versi

Macro.Word.Nuclear.a

Description Macro.Word.Nuclear.a

It is a encrypted virus, it contains the macros:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area, and overwrite the macros if they are already present there. Then the virus infects the documents by FileSaveAs macro.
The virus manifests itself in three ways: 1) runs COM/EXE/NewEXE virus, 2) appends the text strings while printing the documents, 3) corrupts the system files. Note: the virus has a lot of bugs, and I am not sure that the virus is able to run 1) and 3) under standard environment.
1) The AutoExec macro calls DropSuriv macro which check the system time and drops the COM/EXE/NewEXE virus ("Ph33r") if the time is between 17:00 / 18:00. While dropping the virus uses the DEBUG utility.
First, the virus checks the C:DOSDEBUG.EXE. If this file is found, the virus creates temporary file PH33R.SCR in C:DOS directory, and writes hex dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus creates the temporary file EXEC_PH.BAT with the strings inside:
@echo off
debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates a copy of a COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 21h and writes itself to the end of COM/EXE/NewEXE files on opening, execution, renaming and changing their attributes.
The execution of BAT file is done in the background, so the user does not know that there are two(!) viruses on his PC.
Then the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.
Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE virus, but it is quite easy to fix that bug in next virus version.
2) While printing documents the virus appends the text approximately to each 12th file (if the seconds are 55 or more):
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so the uses does not see them (often documents occupy more that one screen). This is very curios effect, especially while sending documents via fax.
3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.
Macro.Word.Nuclear.b
It's a variant of previous one. Does not contain COM/EXE/NewEXE virus and macros DropSuriv, FileExit.
There's a bug while appending the text to the end of the document while printing. As the result the virus appends a blank page, and Word displays a message about a WordBasic error.
Macro.Word.Nuclear.c
Another variant of "Nuclear". It contains five macros: Payload, AutoExec, AutoOpen, FileSaveAs, InsertPayload.
The Payload contains the commented instructions that erase all files on C: drive. It seems that the virus author left them commented because he was afraid about this damage on his own computer - this macro takes control as soon as Word starts (the AutoExec macro).

Home