Virus Database

I-Worm.Cervivec

Description I-Worm.Cervivec

Cervivec is an Internet worm virus spreading via the Internet as an email attachment.
The worm itself is a Windows PE EXE file about 230Kb in size, written in Delphi. It is compressed by UPX - the decompressed size is about 670Kb.
The infected messages have Subject/Body content randomly selected from different variants in different languages:
Vtip
Cau posilam ti cerviky tak se na to podivej (virus to neni)
Vtip
Cau posielam ti cerviky tak sa na to pozri (virus to neni)
Witz
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)
blague
J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)
ÉÇ×?
?Á³??×, ' ?-Ð ?Â×Í ?Á³?R'Í- Ð É×ÇÚ? ?ÁR?? Ú?Á?Ð? (Î×R -? ?³ÁÇÂ)
Joke
Hi, I have some cool joke - worms so have a look at it (no virus)
Zart
Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)
Chiste
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)
The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself into the system, runs its spreading and 'effect' routines (colored "worms" eating the desktop).

While installing itself the worm copies itself to the Windows directory and to the SYSTEM32 subdirectory with the name "ntkrnl.exe". It then registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Loader = %WindowsDir%system32 tkrnl.exe -LOADDRIVERS=TRUE

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Reformasi

Description Macro.Word97.Reformasi

This is a stelth macro-virus. It infects the global macros area (NORMAL.DOT template) on infected document opening. Other documents get infected on their opening, closing and saving. While infecting a document, the virus adds the AutoCorrect entry to the document that replaces the text "yond" with a space character.
Before saving victim documents, the virus sets up hidden property for a whole text in a document and clears this property on document opening. As a result, in desinfected documents, the whole text will be invisible. One way to solve this problem is to check "View/Formatting marks/Hidden text [v]" checkbox in "Tools/Options" dialog box. Another way to make the text visible is do a commands click menu "Edit/Select All", then in "Format/Fontall" dialog box uncheck "Effects/Hidden [ ]" checkbox.
To hide itself, the virus disables the keys Alt+F11 and Alt+F8, blocks opening Visual Basic Editor, and ToolsMacro and Organaizer dialogue boxes.
The virus displays a non-standard dialogue on click "Help/About Microsoft Word"
Other two dialogs virus displays on choosing "File/Exit" menu if the day of the week is Friday.

Macro.Word97.Remplace

Description Macro.Word97.Remplace

This macro virus contains seventeen macros in one module "Akrnl": Akrnl, AutoExec, AutoNew, AutoPrint, FileNew, FileClose, FileExit, autoOpen, AutoExit, AutoClose, ToolsMacro, FileTemplates, ViewVBCode, RandomRemplace, Remplace, Sauve, DelVir.
It infects the global macros area on opening an infected document (AutoOpen) and infects other documents on opening, closing, printing or creating (FileOpen, AutoPrint, FileClose, FileNew). Before infecting the virus removes all modules from infecting document and global macros area.
The virus turns off the Word virus protection (the VirusProtection option).
On opening infected document if day of month is above 22, the virus with probability about 27% replaces text "donc," with one of following strings:
ainsi, si j'en crois ce que mon incompŠtant de professeur me dit,
ainsi, mon chat a perdu ses dents. De plus,
ainsi, selon ma grand-m¨re,
ainsi, la mati¨re du cours est plate. De plus,

Home