Virus Database

I-Worm.Chet.a

Description I-Worm.Chet.a

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.
The infected messages have following fields:
From: main@world.com
To: You
Subject: All people!!
Attach: 11september.exe
Body:

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ICQ1 = %SystemDir%synchost1.exe
The original file is then deleted.
Spreading
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.
To send infected messages the worm uses direct connection to SMTP server "mail.ru".
Other
The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:
connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru
They have following subjects:
message1: Otchet from user
message2: Otchet2 from user
The message body contains victim emails list and worm's EXE file full name.

Check other viruses! Be aware! Use Antiviral Software

AntiSkola.2111

Description AntiSkola.2111

It is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed. While infecting the COMMAND.COM file the virus patches its code at fixed offset and writes JMP-Virus instruction to there. That does work only for some COMMAND.COM version(s) and corrupts COMMAND.COM from other DOSes (including Win95).
On keystrokes (INT 9) depending on the system timer the virus changes the data in keyboard buffer. Depending on the system timer the virus stops executing the TURBO.EXE and TPX.EXE files. Also depending on the system time the virus decrypts and displays the message (see below), plays a tune and halts the computer:
Dobry den,predstavuje se Vam virus AntiSkola.Tento virus byl napsan
pro demonstraci idealniho preziti viru ve skolnim prostredi.Doufam,
ze se Vam bude libit.
Moje podekovani patri zejmena :
Firme Borland International Inc. za TurboAssembler a TurboDebugger
Skole za to,ze mi umoznila nerusene programovat
Firme Microsoft za "operacni system" MS-DOS,ktery byl koncipovan
primo pro viry.Na prikladu WINDOWS 95 je jasne videt,ze se stale
teto filozofie nevzavaji.Mozna by si meli neco precist o
protected modu a preemtivnim multitaskingu.
At zije SOSE v Brne na Obranske !!

AntiTrace.2122

Description AntiTrace.2122
It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM-files on their closing. On infected file opening it disinfects it. The virus uses anti-debugging tricks, on tracing of INT 21h it displays the message:
+--------- Anti_Trace ----------+
ƒ ƒ
ƒ Loading AntiVirus didn't find ƒ
ƒ me yet. I'm so sorry! ƒ
ƒ ƒ
ƒ [ Continue ] ƒ
+-------------------------------+
It contains the internal strings also:
Anti_Trace
Good Luck in Creating Antivirus. (C) 1993, AT Corp.

Home