Virus Database

I-Worm.FriendMess

Description I-Worm.FriendMess

This dangerous Internet worm is written in Visual Basic Script language. For spreading, the worm uses MS Outlook 98/2000. If another mailer is used, the worm is not able to spread, but runs its payload routine (see below).
The worm arrives to a computer as an e-mail message:
Subject: FRIEND MESSAGE
Body: A real friend send this message to you.
The message has an attached "FRIEND_MESSAGE.TXT.vbs" file. Depending upon system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as a "FRIEND_MESSAGE.TXT".
The attached file contains script written in Visual Basic Script language. Upon being activated by double clicking on an attached file, the script gains control and the worm begins work.
The worm creates the file "FRIEND_MESSAGE.TXT.vbs" in the Windows system directory, and writes its own code there (this file is used later by a worm for spreading its copies). Then the worm displays the following message:
If you receive this message remember forever: A precious friend
in all the world like only you! So think that!
After this, the worm runs its spreading routine. This routine gains access to MS Outlook and sends infected messages to all recipients from the Outlook address book. These messages look the same as the arrived one (see above). While spreading, the worm stores infected-recipient addresses in the system registry and does not send messages to already-infected recipients.
The worm contains a payload routine that overwrites a "C:AUTOEXEC.BAT" file with commands that delete all files in the Windows directory, Windows system directory and Windows temporary directory. These commands in the "C:AUTOEXEC.BAT" file are executed upon system start-up.

Check other viruses! Be aware! Use Antiviral Software

Emorph.1696

Description Emorph.1696

It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are executed. On infection of the third file it hooks INT 8, 10h, 13h also and manifests itself by different methods: launch a ball (see "Ping-Pong"-virus), changes the font table for several characters, displays the message:
[1993 por JMC Ver 1.1]

It contains the internal text string also:
E-Morph

Emperor.5826

Description Emperor.5826

It is an extremely dangerous memory resident polymorphic multipartite virus about 6Kb of length. It infects DOS COM and EXE files by writing its code to the end of the file, and overwrites the MBR of the hard drive and boot sector on floppy disks with its own loading routine that installs the virus into the system memory on rebooting. The virus has many anti-debugging tricks, uses stealth functions and quite complex routines to get addresses of DOS kernel to bypass anti-virus protection.
The virus has bugs and in some cases it corrupts the files while infecting them, and they halt the system when executed.
When an infected file is run, the virus decrypts itself, checks for its TSR copy already installed in the system, and runs its installation routine. This routine allocates a block of DOS memory, copies virus code to there, hooks INT 12h, 13h, 21h and infects the MBR of the hard drive.
The virus INT 21h hooker intercepts file accessing calls, and runs infection and stealth routines. The INT 13h hooker does the same on the MBR and floppy disk boot sector reading/writing.
While infecting the MBR the virus uses several tricks to bypass anti-virus protection: writes data by direct calls to HDD controller ports; or stuffs 'Y' to keyboard buffer, in case the Megatrends or AWARD BIOS is installed and VirusWarning BIOS protection is enabled (the virus checks necessary field in the CMOS memory).
The virus stores the original MBR and boot sectors to the reserved sectors on the drive, but encrypts and corrupts this code so, that these data will work correctly only in case the virus TSR copy is active (i.e. only in case the disk is infected, the virus already installed its code into the memory and released control to the original bootstrap routine). The virus also patches the MBR DiskPartitionTable - it loops its tables. As a result it is not possible to load the system from clean MS DOS floppy disk, and it is necessary to use other DOS versions, or special tools to access the hard drive.
While infecting the MBR or floppy disk boot sector the virus checks it for some specific code, and erases the CMOS memory if this code is found, the message "Error in CMOS" is displayed then and computer halts.
The virus also has more dangerous destruction routine. It erases the data on the hard drive and corrupts the Flash BIOS in the same way the "Win95.CIH" (aka "Chernobyl") virus does. The virus at the same time displays the message:
EMPEROR
I will grind my hatred upon the loved ones.
Despair will be brought upon the hoping childs of happiness.
Wherever there is joy the hordes of the eclipse will pollute
sadness and hate under the reign of fear.
In the name of the almighty Emperorall.

This routine is executed if the virus founds an active debugger in the system memory, or the system is rebooted in period from 5am till 10am. This routine also may take control because of a bug in the virus code.
The virus also contains the text strings:
the EMPEROR virus
written by Lucrezia Borgia
In Colombia, 1999

Home