Virus Database

I-Worm.Choke

Description I-Worm.Choke

This is the worm virus spreading via the Internet by using MSN Messenger (instant messaging program). The worm itself is Windows EXE file about 40Kb of length written in VisualBasic.
When infected file is run, the worm copies itself to C:CHOKE.EXE, then registers this file in registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Choke = C:choke.exe -blahhh
then dislays two fake messages:
Choke
This program needs Flash 6.5 to run!

Run time error
Cannot run program!, Quiting
The worm also creates the C:ABOUT.TXT file and writes following text to there:
Choke , Copyright î 1886 all A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '
The worm then gets to spreading routine. That routine waits for incoming message and replies with the text:
"President bush shooter is game that allows you to shoot Bush balzz" hahaha
and send to victim a request to receive the worm EXE file. The EXE file name is randomly selected from three variants:
choke.exe
ShootPresidentBUSH.exe
%username%.exe
where %username% is the name of victim visible in MSN network.
In case the incoming message starts with "hey!" the worm reports with information of victims that were sent by infected messages:
PPL: %n
I got %n son of a bitches.
%username%, status = %n
Send to %n ppl
%username% (request sent)
%username% (accepted)
where %username% is the name of victim visible in MSN network, and %n are different numbers.
The worm also creates the "dalist.txt" file and writes to there the list of already infected users (addresses to where the worm was sent already). The worm checks that list and does not send its copies twice to the same address.
The worm also seems to send messages to %random%@pager.icq.com addresses with the text:
From: George.W.Bush@whitehouse.gov
Text: Micro$oft invites you to use MSN Messenger!

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.NF

Description Macro.Word.NF

It is an extremely silly encrypted virus containing nothing except infection routines. Summary length of its two macros (nf, autoclose) is just 286 bytes.
Both virus macros contains infection routines. First macro infects global area while closing an infected document (it is named "autoclose" in infected documents and "nf" in NORMAL.DOT), second macro infects documents that are closed (it is named "nf" in infected documents and "autoclose" in NORMAL.DOT). So the virus exchanges names of these macros as several macro viruses do - while infecting a file or global area it copies "nf" macro with name "autoclose", and "autoclose" with name "nf".
NORMAL.DOT Infected files
Macro1 nf autoclose
Macro1 autoclose nf

While infecting the system the virus displays the string "Infected!", while infecting a file the virus displays "Traced!".

Macro.Word.NiceDay

Description Macro.Word.NiceDay

This virus is based on Word.Macro.Concept virus. It contains four macros:
in NORMAL.DOT in infected files
PayLoad Payload
AutoExit AutoExit
VOpen AutoOpen
AutoClose VClose

Payload macro contains the same text as "Word.Macro.Concept":
That's enough to prove my point

On AutoExit the virus displays the message:
Have a Nice Day !

Home