Virus Database

I-Worm.Fintas

Description I-Worm.Fintas

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.
The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.
Installing
While installing, the worm copies itself:
to the Windows directory, Windows system directory and C: drive root - with the `.EXE name to the Windows TEMP directory - with a name that depends on the worm version:
FF8.EXE
FunnyFlash.EXE

The C:`.EXE file is then registered in the system registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices 723 = c:`.exe
and in the Windows SYSTEM.INI file, [boot] section, in the "shell" auto-run command.
Spreading
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Subject, Body and Attachment name are different in the known worm versions:
Subject/Body/Attach:
Microsoft Shockwave Flash Movie
Check "Family.exe" then you could see Microsoft family's Shockwave Flash Movie
FamilyMovie.exe

CoolGame From %UserName%
the cool game about Final Fantasy VIII :)
FF8.EXE

FunnyFlashMovie From %UserName%
the flash movie,check it !:)
FunnyFlash.EXE

where %UserName% is the Name of the affected machine.
Fintas.a
The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm's copy to the J: network drive (if it exists).
The worm then creates and spawns two VBS files: "c:passwd.vbs" and "c:leo.vbs", and then displays the following message:

The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:
Hi! I am LEO
The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the "leotam888@china.com" e-mail with a "mypasswd" subject.
Payload - other versions
On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.
Then the worm displays the message:

Check other viruses! Be aware! Use Antiviral Software

EICAR-Test-File

Description EICAR-Test-File
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program.
Why is this harmless file detected as a virus? The file was created in order to demonstrate to users the messages and procedures that anti-virus programs display when a real virus is detected.
Some time ago researchers from several anti-virus companies were asked by users to develop a way to demonstrate what would happen in case of a real virus attack; a sort of simulation of which messages anti-virus programs will display and what actions will be recommended to perform, e.t.c.
After some time and thought toward how to best satisfy the request, the anti-virus researchers decided to release some virus-simulators that would be some harmless file that does nothing but display a message(s) and then exits to DOS (host OS). It was decided that this file could contain only ASCII characters so that users could type it or copy it from a User Guide. As a result the COM file looks as follows:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Despite having only ASCII characters, this COM file is nonetheless a legitime computer program that does work under DOS or in a DOS window under Windows, OS/2 or any other OS that is able to run DOS programs. When run or executed this COM-file simply displays a text message and exits to DOS. The displayed message looks as follows:
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

It is as simple as that, though a lot of anti-virus programs detect it as a virus named EICAR-Test-File or something close to this.
Kaspersky Anti-Virus software detects this file only if the file name EICAR.AVC is listed in the AVP.SET file. At user request, the EICAR.AVC file has been removed from the main Kaspersky Anti-Virus database.

Einstein.878

Description Einstein.878

It's a harmless memory resident virus which hooks INT 21h and infects by standard way .EXE-files that are started. It contains the texts: "exeEXE", "Einstein".

Home