Virus Database

I-Worm.Challenge

Description I-Worm.Challenge

This worm spreads using MS Outlook Express 5. It appends itself to every message sent from an infected computer. The worm does not attach itself to messages as regular worms do, but instead embeds its body into a message as a script program in Visual Basic Script language. When an infected message is opened on a victim's computer, this program doesn't appear on the screen, but instead gains control and infects the system.
To break through MS Outlook Express security, the worm takes advantage of a security vulnerability that allows script code in HTML-based e-mail message access to ActiveX controls that should not be available in this context. Microsoft has released a patch that eliminates this security vulnerability. See http://www.microsoft.com/technet/securThisy/bulletin/MS00-075.asp for more information. We strongly recommend a user install the patch available there, protecting him/her against many script worms that use this vulnerability.
The worm infects computer it two steps:
The first step is when an infected message is displayed, and an embedded script program gets control. This creates a TEMP.HTA file with the worm's copy in a Windows startup folder. (This worm is more accurate in finding a Windows startup folder. Its method works in all Windows versions, as distinct in I-Worm.KakWorm).
The second step, since TEMP.HTA file is placed into the Windows startup folder, is that Windows runs it upon startup. The script in this file is created in the Windows system folder file FOLDER.HTML with the same script as was in the infected message, and then registers this file as a default signature file for MS Outlook Express 5. From this moment, all messages sent from a computer contain a signature with the worm's body, i.e., infected.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Candyman.a

Description Macro.Word.Candyman.a

The macro viruses of this family contain three macros:
"Candyman.a": Autoopen, Candyman, AutoClose
"Candyman.b": Autoopen, Dyatrima, AutoClose

They infects the global macros area on opening an infected document (AutoOpen), and infect other documents on their closing (AutoClose).
On 25th of any month the "Candyman.a" virus deletes all files in folders C:WINDOWS and C:DOS. Then it displays the message:
No se olviden de CABEZAS -Pierri y Duahlde
PUTOS-Cabezas Virus by CANDYMAN Bs. As. Argentina

The "Candyman.b" virus drops and executes the DYA.COM file infected by the DOS overwriting virus "HLLO.Candym".

Macro.Word.Cap

Description Macro.Word.Cap

CAP - infection routine AutoExec - calls the infection routine AutoOpen - - // - FileOpen - - // - FileSave - - // - AutoClose - - // - FileClose - - // - FileSaveAs - - // - ToolsMacro - hides all macros ("stealth" routine) FileTemplates - - // -

The virus not only disables ToolsMacro and FileTemplates menus, but also deletes the references to them in the File and Tools main menus. The virus also disables auto-macros. As a result it is not possible to disinfect this virus by using Word functions -it is not possible to delete macro viruses by creating new or running existing virus removing macros.
The virus emulates "FileSaveAs" while saving infected documents -and writes an empty document to disk.
The virus contains the following strings (comments):
C.A.P: Un virus social.. y ahora digital..
"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
Venezuela, Maracay, Dic 1996.
P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !

Home