Virus Database

I-Worm.DragonBall

Description I-Worm.DragonBall

This Internet worm spreads via e-mail messages using MS Outlook and IRC, and is written in VBS. The worm doesn't work correctly, because it contains a few fatal errors.
When the script is run, it creates self-copies in the system directories:
C:WindowsWinsock.vbs
C:WindowsSysdir.vbs
C:WindowsSystemmillioner.vbs
C:WindowsSystemDragonBall.vbs
C:WindowsSystemDragonBall.cab
Also it creates three scripts in IRC directory:
C:mIRCmirc.ini
C:mIRCscript.ini
C:mIRCupdate.ini
The IRC scripts are needed for spreading via the IRC channel. As directories named "C:Windows" and "C:mIRC" hard register in worm's body, it can't execute these operations if the operation system and IRC installed in different directories.
After this, the worm changes some keys in the system registry and WIN.INI file. This creates two keys in the registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"winsock2.0"="C:\Windows\winsock.vbs"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
"sysup"="C:\Windows\sysdir.vbs"
and changes the value of the two keys in the WIN.INI file:
[windows]
load=C:WindowsSystemDragonBall.vbs
run=C:WindowsSystemmillioner.vbs
In this way, the worm always will be run when the operation system is started. In addition to this, the worm changes another two keys in the system registry
[HKLMSoftwareMicrosoftWindowsCurrentVersion]
"RegisteredOwner"="Dragon Ball Z by YuP"

[HKCUSoftwareMicrosoftInternet ExplorerMain]
"Start Page"="http://bdball.metropoli2000.net/fotos/imagenes/sagas/foto7_40.jpg"
Then the worm activates a spread procedure, opening the MS Outlook address book, and for each address, creating the following message:
Subject: Hello ;]
Body: Hi , check out this game that j sent you (funny game from the net:]).
Attach: dragonball.vbs
The worm contains errors, and this procedure can't work correctly. So, the worm can't spreads via e-mail.
In conclusion, the worm displays the following dialogue box:

When a user closes this box, the worm removes keyboard and mouse functions, and the runs MediaPlayer with a file from the Internet:
http://bdball.metropoli2000.net/mmedia/videos/clips/dballz/gokuhss1.mpg
and changes AUTOEXEC.BAT, inserting the strings:
@ECHO ON
ECHO DraGon Ball [Z] by YuP
ECHO Thank you and bye bye dragon world!!

Check other viruses! Be aware! Use Antiviral Software

CorporateLife.1937

Description CorporateLife.1937

These are not dangerous memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of EXE files on DOS calls FindFirst/Next FCB. During infection they use old FCB calls. The viruses have bugs and may corrupt the files while infecting them. If there is a sound blaster installed with the Speech driver, the viruses pass to the driver the string to speak it:
"CorporateLife.1929,1937": Fuck Corporat Life.
"CorporateLife.1931,1935,1939,1943,1947,1951,1957,1961,1971":
Mini Cat

The viruses also contain the text strings:
"CorporateLife.1929,1937": $B -=[$$$ Corporate Life $$$]=- P$
"CorporateLife.1931,1935,1939,1943,1947,1951,1957,1961,1971":
$B Mini-Cat 4/96 P$

Corrupt.1033

Description Corrupt.1033

It is not a dangerous nonmemory resident parasitic virus. It searches for COM files, then writes itself to the beginning of the file. When an infected file is executed on a floppy drive, the virus displays the blue and red colored message:
COR-
RUPT
VIRUS

The virus contains the text strings:
C0RrUpT bY CiBeRb0B
*.com

Home