Virus Database

I-Worm.Coronex.a

Description I-Worm.Coronex.a

Coronex is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself to the "C:My Downloads" directory that may cause other ways of spreading.
The worm itself is a Windows PE EXE file about 12KB in length and is written in Assembler.
The worm activates (from an infected email message) only when a user clicks on the attached file. If this happens the worm starts its installation and spreading routines.
Installing
While installing the worm copies itself to the Windows directory under the name "corona.exe" registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
PC-Config32 = %WinDir%corona.exe

The installation procedure contains bugs, therefore the worm often is not able to install itself into the system, however, despite this the worm is still able to activate its spreading routines.
Spreading: E-Mail
To send infected messages the worm uses a direct connection to the "ns.execulink.com" SMTP server. To get victim email addresses the worm scans the WAB database (Windows Address Book).
The worm activates its spreading routine once per hour (minute:seconds = 1:1).
Infected messages have different "From", "Subject", and "Message body" fields and "Attachment" file names:
'sars@hotmail.com'
SARS
Severe Acute Respiratory Syndrome
sars.exe

'sars2@hotmail.com'
I need your help
Severe Acute Respiratory Syndrome
corona.exe

'corona@hotmail.com'
Virus Alert!
SARS Virus
virus.exe

'virus@yahoo.com'
Corona Virus
honk kong
hongkong.exe

'deaths@china.com'
bye
deaths virus
deaths.exe

'virus@china.com'
SARS
SEE Ya
sars2.exe

'virus2@china.com'
SARS Virus
SARS Corona Virus
cv.exe

Spreading: MyDownloads
The Coronex worm copies itself to "C:My Downloads" using the following names:
'Cossacks Full Version.exe'
'Battlefield 1942 (full).exe'
'Warcraft III Full.exe'
'Jedi Knight II.exe'
'Quake 3 Full Version.exe'
'Starcraft full.exe'
'Doom 3.exe'
'Tribes 2 (full).exe'
'Rainbow 6 Full.exe'
'Oni full.exe'
'White and Black.exe'
'Return to Castle Wolfenstien (Full).exe'
'Command & Conquer: Generals.exe'
'Black Hawk Down (full).exe'
'The Sims: Unleashed.exe'
'Age Of Mythology.exe'
'Dark Age of Camelot.exe'
'Ultima Online.exe'
'The Lord of the Rings.exe'
'Medel Of Honor: Allied Assault.exe'
'Grand Theft Auto 3 (full).exe'
'Unreal 2: The Awakening (full).exe'
'Unreal.exe'
'Master Of Orion 3.exe'

After copying itself the worm increases its copy file length to several megabytes.
If there is no "C:My Downloads" directory, the Coronex worm copies itself to current directory.
Payload
The initial time the worm is run it displays the following message:

Coronex also sets the Internet Explorer StartPage (defualt page) to the World Health Organization's Web page dedicated to the SARS virus:
http://www.who.int/csr/don/2003_04_19/en

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Spooky

Description Macro.Word97.Spooky

This macro-virus contains one macro Document_Close, and spreads on document closing.
While infecting the global macros area (NORMAL.DOT), the virus appends to the end of its code the additional information about the current user: system date and time, UserName and UserAddress. On the1st of each month, the virus saves this information to the HSF.SYS file (where "number" is a randomly generated number), then sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110. It seems that this address can be accessed by the virus writer that will get information about the speed of virus spreading.
The virus code contains the ID-strings:
<- this is a marker!
Logfile -->

Spooky.d (Caligula)
On the 1st run on a computer, the virus searches on the disk for a SECRING.SKR file containing PGP private keys. Then it sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110.
On the 1st of each month, the virus displays the message:
WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
No nsa,
No satellite,
Could map our veins.

The virus also changes Summary Info of documents:
Author Opic
Title WM97/Caligula Infection
Subject A Study In Espionage Enabled Viruses.
Comments The Best Security Is Knowing The Other Guy Hasn't Got Any.
Keywords Caligula, Opic, CodeBreakers

Macro.Word97.Steroid

Description Macro.Word97.Steroid

This virus contains eleven macros in one module "Inject". It infects system and documents on run any of this macros and also changes volume label on drive C: to "Testicle". On exiting Microsoft Word it infects all documents in the current directory. On entering the "Help/Aboutall" menu it displays two messages:
VMPCK v2.0 Beta / SR-1 Compatable
Can I have a bottle of warm Diet Mountain Dew?

W97M/Steroid.Poppy
Shout Out! ...Slage Hammer, Spanska and the entire _Kim_Liberation_Army_

On opening the Visual Basic Editor the virus infects all documents in the current directory and displays Microsoft Word dialog widows in random order.
The code of virus contains the comments:
The VicodinES Macro.Poppy Construction Kit v2.0 Beta
Code Written by VicodinES-VV/----------------------
Poppy ID : 75637833-270----/---Compatable with SR-1
Steroid.Poppy.II-----------/--Never Begins Tomorrow

Home