Virus Database

I-Worm.Heyya

Description I-Worm.Heyya

This is worm virus spreading being attached to Email messages, through IRC channels, infecting PE EXE files (Win32 executable files), VBS files and incorporating its copies to RAR and ARJ archives. The worm itself is Win32 executable file about 28Kb of length, and it infects Win32 machines only.
The worm has many bugs and in most of cases crash the system or corrupt files while infecting them.
Installing
When infected file is run, the worm copies itself to Windows system directory with one of the names randomly selects from following list depending on current day:
napster.exe
newbillgates.exe
HonNaCigana2.exe
FreeSoftGSM.exe
game.exe
call.exe
To access that copy later by its name the worm stores that name in Registry key:
HKLMSOFTWAREInfluenzaLab
MicrosoftOE = %wormname%
where %wormname% is the file name of worm copy (it will be used below as well).
The worm also copies itself to Windows directory with PornoChat.exe name and registers that file in Registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
MicrosoftOE = %WinDir%PornoChat.exe
Updating
The worm is able to update itself. To do that it sets start page for MS Internet Explorer to "www.volny.cz/radix16/flu/update.gif". As a result on each Internet Explorer that GIF file is downloaded to affected machine. The worm then copies that file with C:updateFLU.gif name and processes it.
That can be not usual GIF image file - the worm looks for data that is attached to main GIF image data. The attached data has special format. It may contain a list of email addresses (it is stored to C:Heyya.txt file and is used later) and/or EXE file image.

Check other viruses! Be aware! Use Antiviral Software

Pcflu.2134

Description Pcflu.2134

This is a not dangerous memory resident parasitic polymorphic virus. It hooks INT 21h, 27h and writes itself to the end of EXE files and to the beginnings of COM files, some "Pcflu" infects only EXE files. While executing it checks the system and sometimes displays the message:
Incorrect DOS version
Then it returns to DOS.
The virus contains the text string:
PC-FLU Mk II by Wizard 1991
Some of the viruses from this family hooks INT 8 (timer) and 9 (keyboard) sometimes. Then they periodically 'skip' the keys that are entered.

Pcflu.2141

Description Pcflu.2141

This is a not dangerous memory resident parasitic polymorphic virus. It hooks INT 21h, 27h and writes itself to the end of EXE files and to the beginnings of COM files, some "Pcflu" infects only EXE files. While executing it checks the system and sometimes displays the message:
Incorrect DOS version
Then it returns to DOS.
The virus contains the text string:
PC-FLU Mk II by Wizard 1991
Some of the viruses from this family hooks INT 8 (timer) and 9 (keyboard) sometimes. Then they periodically 'skip' the keys that are entered.

Home