I-Worm.Heyya
Description I-Worm.Heyya
This is worm virus spreading being attached to Email messages, through IRC channels, infecting PE EXE files (Win32 executable files), VBS files and incorporating its copies to RAR and ARJ archives. The worm itself is Win32 executable file about 28Kb of length, and it infects Win32 machines only.
The worm has many bugs and in most of cases crash the system or corrupt files while infecting them.
Installing
When infected file is run, the worm copies itself to Windows system directory with one of the names randomly selects from following list depending on current day:
napster.exe
newbillgates.exe
HonNaCigana2.exe
FreeSoftGSM.exe
game.exe
call.exe
To access that copy later by its name the worm stores that name in Registry key:
HKLMSOFTWAREInfluenzaLab
MicrosoftOE = %wormname%
where %wormname% is the file name of worm copy (it will be used below as well).
The worm also copies itself to Windows directory with PornoChat.exe name and registers that file in Registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
MicrosoftOE = %WinDir%PornoChat.exe
Updating
The worm is able to update itself. To do that it sets start page for MS Internet Explorer to "www.volny.cz/radix16/flu/update.gif". As a result on each Internet Explorer that GIF file is downloaded to affected machine. The worm then copies that file with C:updateFLU.gif name and processes it.
That can be not usual GIF image file - the worm looks for data that is attached to main GIF image data. The attached data has special format. It may contain a list of email addresses (it is stored to C:Heyya.txt file and is used later) and/or EXE file image.
Check other viruses! Be aware! Use Antiviral Software
Kaczor.4444.a
Description Kaczor.4444.a
It is not a dangerous memory resident polymorphic stealth multipartite virus. It traces and hooks INT 13h, 21h and writes itself to the MBR of the hard drive and to EXE files that are accessed on the floppy disks. On accessing to the infected files on the hard drive the virus disinfects them.
While installing memory resident from infected hard drive the virus also temporary hooks INT 12h, 1Ch. On DOS loading it cuts the block of system memory, hooks INT 13h, 21h and resets INT 12h, 1Ch.
That virus is encrypted in memory as well as in the files. The INT 13h, 21h handlers decrypt the code of subroutines before processing them, and then encrypt before return to the original interrupt handlers.
On loading if the keyboard buffer contains the word "kaczor" the virus disinfects MBR and displays:
Zrobione.
If the keyboard buffer contains the word "test", the virus displays the message:
Wersjaall.......
Kodowanie.......
Licznik HD......
and adds corresponding numbers to the ends of these strings.
On March, 3rd the virus hooks INT 8 (timer) and "shakes" the screen.
Kadavr.506
Description Kadavr.506
It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus does not manifest itself in any way. It contains the text in Cyrillic:
Kadavr
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Rhodos
Youtube Proxy Unblocker
Seo Washington
Linux Server Step-by-step Configuration
|