Virus Database

I-Worm.Guorm.a

Description I-Worm.Guorm.a

This is an Internet worm that spreads itself as an attachment to e-mail messages. To send infected messages, the worm uses VBS script and MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
There are several versions of the worm. The first is a pure VBS script; another is a Windows executable file that drops a VBS script to infect e-mail messages; the third is an MS Word document with a macro-program inside. All of these worm versions have similar functionality and infect the system in very similar ways.
When the worm file is activated (by double clicking on an attached file in infected messages, or being accepted as an IRC download), it copies itself into the WINDOWS System directory with different names depending on the version:
USER.DLL, WINUSER.EXE
WINUSER.DLL, USER32.DLL.VBS
The worm does not register these files in the system, so these files are not automatically executed then.
The name of the Windows directory is hardcoded in the 1st virus version body (C:WINDOWSSYSTEM), so the virus is not able to spread in the case that Windows is installed in another folder.
While mailing its copies, the worm drops a GUORM.VBS script file (or GUORMEX.VBS - depending on the version) to the Windows TEMP directory and spawns it. The script program connects MS Outlook, gains access to the address book and sends worm copies to all addresses listed there. The worm messages contain:
Subject: You know what it is!. ;-P
Body: Hey, here you have!.
The attachment name differs depending on the worm version. The first worm version (sent as a Windows EXE file) has only one variant of the attached file name in infected messages: WINUSER.EXE
Other versions use a combination of randomly-selected names and extensions from the following variants:
Extensions: .VBS, .VBE, .TXT.VBS, .JPG.VBS, .AVI.VBS, .SCR.VBS
Names: links, cool, funny, anti-loveletter, guorm, pot, win2k, icq2k, money, funnypic.jpg, quake, Year2K+1, Mirc2K, Word2001, FunStuff, WindowsMe
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). This file contains a set of instructions that sends a worm file to everybody who enters an infected channel.
The worm contains the following "copyright" texts:
BrainMuscle + OldWary + KALAMAR
Guorm

Check other viruses! Be aware! Use Antiviral Software

Kara.739

Description Kara.739

It is not a dangerous memory resident parasitic virus. It hooks INT 13h, 21h and writes itself to the end of .COM files that are accessed. Depending on the system conditions (if a part of memory is occupied in virus-like way) the virus displays the message:
May bayrus sa memorya
Klandistino
Awto
Reproduktibo
Antibayrus

On reading data from floppy disks the virus checks their boot sector for some code (boot viruses?). If this code is found, the virus replaces it with a program that displays the message:
Ang disk mo ay inpektado
I-boot mo uli

The header of infected files contains the text:
KARA

Karin.1134

Description Karin.1134

This is a dangerous nonmemory resident parasitic virus. It searches for .COM files, then writes itself to the beginning of the file. The infected files contain the text "REDSTAR *.COM" at the beginning. On October, 23th this virus displays:
Karin hat GEBURTSTAG!

and halts the computer.

Home