Virus Database

I-Worm.Fog

Description I-Worm.Fog

This is Win32 email worm with backdoor and DDoS abilities. The worm itself is Win32 application (PE EXE file) about 180K of size (in UPX packed form) and about 500K being unpacked. The worm is written in Delphi.
The worm sends itself to other machines being attached to emails with AntiVirus.exe name. While spreading it uses MAPI to connect to emailer. The worm also reports to an IRC channel (worm host channel?) about infected machine and then activates backdoor and DDoS routines that allow to remote master to manipulate with infected machine and perform DoS attack on remote machines.
When infected file starts (being activated by user from infected message or from any other source) the worm displays the message box:
Explorer
i reb00t
[OK]
When OK button is pressed, the worm copies itself into Windows system directory with "AntiVirus.exe" and into Windows Fonts directory with "Times New Roman.exe" names. The latter file is then registered in system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices Windows = %windows font directory%Timer New Roman.exe
To spread the worm looks in Inbox for all messages that have at least one attached file, and replies with infected message that has:
Subject: I think that you sent me a virus.. heres a cleaner
Body: I took my computer to the shop and they ran this, and told me to send it to you.. hope this helps.
Attach: AntiVirus.exe
The worm also deletes NETSTAT.EXE and REGEDIT.EXE in Windows directory. The worm as well looks for anti-virus and some other processes that are active at the moment and tries to terminate them:
APLICA32.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE CFINET.EXE
IAMSERV.EXE IAMAPP.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE
VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE NAVAPW32.EXE
NAVW32.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE AVP32.EXE
AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE
ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE
TDS2-98.EXE TDS2-NT.EXE ZONEALARM.EXE MINILOG.EXE SAFEWEB.EXE
IFACE.EXE ANTS.EXE ANTI-TROJAN.EXE BLACKICE.EXE BLACKD.EXE
VSMON.EXE WRCTRL.EXE WRADMIN.EXE CLEANER3.EXE CLEANER.EXE
TCA.EXE MOOLIVE.EXE SPHINX.EXE

The worm contains the "copyright" text strings:
[Fist Of God]
[Remote DDoS]
[v2.7b]

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Leonor

Description Macro.Word97.Leonor

The virus is containing only one module "AutoOpen" and replicates on opening documents. On Monday or Saturday depending on system random counter the virus creates one hundred files with names from "1" till "100" in the C:WINDOWSESCRITORIO directory and writes the text to them:
I love Leonor forever

The virus also contains the comment:
Leonor macro (v1.1) made by uhjov

Macro.Word97.Lopez

Description Macro.Word97.Lopez

The virus replicates under MS Word ver. 8.0 only. It contains two modules Word97Virus1 and NewMacros. The "Word97Virus1" module contains eleven macros: Word97Virus1, AutoNew, AutoClose, AutoExec, AutoSave, AutoOpen, FileClose, FileNew, FileSaveAs, FilePrint, FileOpen. The virus replicates when any of these macros is activated.
The "NewMacros" module contains one macro ToolsMacro that on entering the Tools/Macro menu deletes virus macros in active document and NORMAL.DOT.
On printing the virus appends to the document the text:
hE wHo LiVeS iN tHe PaSt HaS nO ChAnCe To SuRviVe In ThE fUtUrEall

The virus also contains the comment:
Word97Virus1 Macro

Home