Virus Database

I-Worm.Gigger

Description I-Worm.Gigger

This is a dangerous worm. It replicates using Outlook, Outlook Express and mIRC. The worm is written in JavaScript and Visual Basic Script (VBS). It contains destructive payload routines that are able to format the user's hard disk after reboot, and can delete all files on all available disks.
Installation
While installing into the system, the worm creates several files:
C:Bla.hta
C:B.htm
C:WindowsSamplesWshCharts.js
C:WindowsHelpMmsn_offline.htm

Then the worm finds its "already infected" sign in the registry, and if it doesn't exist, the worm creates it.
The infection presence sign is located in the following registry key:
HKEY_CURRENT_USERSoftware hegraveadusersv2.0
The worm finds all connected network drives and copies itself to them to the following location:
WindowsStart MenuProgramsStartUpMsoe.hta
Spreading via e-mail
The worm uses Outlook and Outlook Express to spread in infected e-mail messages.
Infected message contain the following properties:
Subject: Outlook Express Update
Body: MSNSoftware Co.
Attachment: mmsn_offline.htm

The worm also sends a message that contains the e-mail addresses of its recipients to an e-mail address, which seems to belong to the worm's author.
Spreading via IRC
The worm finds the installation folder of an mIRC client application, and creates there the file name "script.ini". After this, the worm sends itself to each user that joins the same IRC channel where the infected user is.
Filename sent through mIRC: "mmsn_offline.htm"
Payload
The worm adds the following line in the file Autoexec.bat:
ECHO y|format c:
This results in formatting disk C: upon computer restarting.
If the day of the month is the 1st, 5th, 10th, 15th or 20th, the worm deletes all files from all drives.

Check other viruses! Be aware! Use Antiviral Software

Quit.555.a

Description Quit.555.a

It is a memory resident harmless virus which by standard way hits COM- and EXE-files when they are started. It has no manifestation, hooks INT 21h. Since 1992 the virus stops the execution of the infected file and quits to DOS.

Qumak.1028

Description Qumak.1028

These are non memory resident enciphered parasitic viruses. They hit .COM-files of current directory and directories pointed in PATH string. Depending of current time they display: "Hello world from my virus!". They also contain the texts: "(C) DOCTOR QUMAK", "e stuff that should be here".
"Qumak.1161" formats the disk sectors.
"Qumak.1079" is a memory resident virus. It hooks INT 12h, 13h, 21h and infects the .COM-files on their execution or opening. It contains the encrypted text string:
The famous cooperation strikes again: IT IS DOCTOR QUMAK II!
Watch out for the next virus from Krak-w, Poland!

Home