Virus Database

I-Worm.Hunch.a

Description I-Worm.Hunch.a

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 151 Kb in length, and it is written in Visual Basic.
Infected messages appear as follows:
Subject: COSTO
Body: Mensaje importante para %Recipient% en el archivo adjuntoall
(%Recipient% is the full name of the recipient.
Attachment: PE EXE file with a random name.

Installing
When the worm is launched, it creates a window containing a picture,

and installs into the system. When installing into the system, the worm copies itself to three files in the Windows system directory: one with the original name of the file, from which the worm has been launched and the following names:
%SYSTEM%THWIN.EXE
%SYSTEM%MSWORD.EXE
Then, the worm writes the following registry keys to start automatically with Windows:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices THWIN=%SYSTEM%THWIN.EXE
HKLMSoftwareMicrosoftWindowsCurrentVersionRun THWIN=%SYSTEM%THWIN.EXE
The worm also tries to copy itself to the A: drive with the "UNSCH.JPG.EXE" name.
Replication: e-mail
The worm uses Microsoft Outlook to send infected messages. The worm extracts e-mail addresses from the MS Outlook Address Book and sends itself to these addresses.
Payload
Depending on the worm's internal counters, the worm writes disk a C: formatting command to the C:Autoexec.bat file.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Galil

Description I-Worm.Galil
Galil is a worm virus spreading via the Internet as an attachment to infected emails. The worm consists of several components, all of which are Windows PE EXE files written in Visual Basic.
Worm components:

Main file: "iLLeGaL.exe", size approx. 81KB
Spreading component: "Mplayer.exe", size approx. 14KB when compressed by UPX, the decompressed size is 37KB
SMTP control: "SMTP.ocx", size approx. 26K when compressed by UPX, the decompressed size is 90KB
Installing
When the main worm file is run it installs itself and its other components into the system. While installing the worm copies its main file to the Windows system directory under the name "iLLegGaL.exe". The other worm components are installed into the same directory. The "Mplayer.exe" component is then registered in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
iLLeGaL = %SystemDir%Mplayer.exe
The worm then displays a fake Flash animation and the message:
Sorry !
Looooooooool , thanx fo da time u spent thinkin ov me
Spreading
The worm reads emails from victim computer MS Outlook address books and searches for email addresses in .HTM and .HTML files. To send infected messages the worm uses a direct connection to SMTP servers.
Infected email attributes include:
Subject: Fwd: Crazy illegal sex !

The message body text is randomly selected from a file on the C: drive or is in HTML format and contains text such as below:
Note: forwarded message attached.
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
Forwarded Message [ Save to my Yahoo! Briefcase | Download File ]
From: Sara1987@yahoo.com
To: Virgin_gurlz_N_boyz@yahoogroups.com
Date: 24 Aug 2002 17:11:18 -0000
Subject: Fwd: Crazy illegal Sex

Hii
Is it really illegal in da USA?
who knows :P
If u have a weak heart i warn u
DON'T see dis Clip.

e.t.c.
Attachments:
iLLeGal.exe or illegalSex.zip
The worm activates from infected emails only when a user clicks on the attached file. If the attachment file is clicked the worm installs itself to the system and runs its spreading routine and payload.
Payload
The 'Galil' worm creates a new key (counter) in the system registry:
HKLMiLLeGal
This counter is increased (advanced) each time the worm is run. When the counter reaches '5' the worm deletes all files on the D: E: F: and G: drives and then displays the message:
ZaCker
No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r

I-Worm.Galil

Description I-Worm.Galil

This is a worm virus spreading via the Internet being attached to infected emails. The worm consists of several components. All of them are Windows PE EXE files, written in Visual Basic.
Main file: "iLLeGaL.exe", about 81K of size
Spreading component: "Mplayer.exe", about 14K (compressed by UPX, decompressed - 37K)
SMTP control: "SMTP.ocx", about 26K (compressed by UPX, decompressed - 90K)

Installing
When the main worm file is run it installs itself and its components to the system. While installing the worm copies its main file to the Windows system directory with the name "iLLegGaL.exe". Other worm components are installed to the same directory. The "Mplayer.exe" component is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
iLLeGaL = %SystemDir%Mplayer.exe

The worm then displays a fake Flash animation and the message:
Sorry !
Looooooooool , thanx fo da time u spent thinkin ov me

Spreading
The worm reads victim emails from the MS Outlook address book and searches for email addresses in .HTM and .HTML files. To send infected messages the worm uses direct connection to SMTP server.
The infected messages have:
Subject: Fwd: Crazy illegal sex !
Body: is randomly selected from a file on C: drive
Attach: "iLLeGal.exe" or "illegalSex.zip"

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Payload
The worm creates new key (counter) in system registry:
HKLMiLLeGal

This counter is being increased on each worm start. When the counter reaches '5' the worm deletes all files on the D: E: F: G: drives and then displays the message:
ZaCker
No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r

Home