Virus Database

I-Worm.Lovelorn.a

Description I-Worm.Lovelorn.a
Lovelorn spreads via the Internet as an email file attachment. The infected file is a Windows PE EXE file about 100KB in size and written in Borland C++.
Infected emails have the following possible characteristics:
Subject: Re:baby!your friend send this file to you !
Message text: Read this file

Subject: HELP??-
Message text: Helpall

Subject: Re:Get Password mail...
Message text: Enjoy

Subject: There're some Passwords here
Message text: Read File attach .

Subject: Re:Binladen_Sexy.jpg
Message text: run File Attach to extract:BinladenSexy.jpg...

Subject: The Sexy story and 4 sexy picture of BINLADEN !
Message text: Enjoy! BINLADEN:SEXY..

Subject: Re:I Love You...OKE!
Message text: Souvenir for you from file attach...

Subject: A Greeting-card for you .
Message text: See the Greeting-card .

Subject: Re:Kiss you..^@^
Message text: Read file attach

Subject: Guide to ...
Message text: I like Sexy with you.

Subject: Re:Baby! 2000USD,Win this game...
Message text: Play the game from file attach

Subject: Help
Message text: Help.

The name of the attached file is chosen arbitrarily and has the following extensions:
.Kiss.ok.exe
.HTM

The senders return address is falsified.
Installation
When launched the worm codes itself into the Windows system catalog under the following names:

Explorer.exe
Kernel32.exe
Netdll.dll
Serscg.dll

The Lovelorn worm then creates the files Setup.hrm, Bsbk.dll and Netsn.dll, all containing code in the MIME format. The worm then creates the file, 'Findfast.exe' in the Startup folder.
Next, the worm registers itself in the autorun key section of the system registry using the following entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
explorer=%System%explorer.exe

Propagation via Email
The Lovelone worm searches infected (victim) computers for the file extensions, '.dbx' and '.htm'. It then looks within files using these extensions for email addresses that it then records in the file 'Mssys.dll'. The addresses held in this file will be later used as recipients of virus copies. To send out infected email messages, Lovelorn uses a built-in SMTP server.
Infected files
The worm is able to infect PE application files, copying itself into the file headers.
Propagation via diskette
Lovelorn copies itself on the A: drive under the name 'NQH_Kiss_you.exe'.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sysnom

Description I-Worm.Sysnom

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 21Kb in length (compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.
Infected messages contain:
Subject: Good News
Attachment: SoftwareKey.exe
The body is selected from the following three variants:
Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we're giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.
Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!! Iceland.com
Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of YouCanSeeTheWorld.com.
The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and copies itself to C:WINDOWS directory with the following names:
C:WINDOWSSoftwareKey.exe
C:WINDOWSSYSNOM.EXE
C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)
and registers one file in the system registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun System Monitor = c:WINDOWSSYSNOM.EXE
The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses MS Outlook, sending messages to all addresses found in the Outlook address book.
The worm then opens the "http://www.avp.ch" site with IEXPLORER.EXE, and starts a DoS attack on the "indovirus.8m.com" site.
The worm does not manifest itself in any other ways.

I-Worm.Talorm

Description I-Worm.Talorm
Talorm is a worm virus spreading via the Internet as an attachment to infected emails and copies itself to IRC channels. The worm itself is a CHM file (compressed HTML file) about 17KB in length.
Infected messages have the following features:
The Subject Line text is randomly selected from the following variants:
- Fotos de Thalia
- Free Pics
- Fotos XXX de Thalia
- Fotos Exitantes de Thalia

The body text is randomly selected from the following variants:
- Checa estas fotos de Thalia
- Hola que tal? ya viste las super fotos exitantes de Thalia
- Como tas! aqui te mando unas fotos de Thalia
- Para mis mejores Amigos fotos de Thalia
- Fotos XXX de Thalia
- unas fotos bien padres de Thalia
- Imagenes insolitas de Thalia
- Apuesto a que no has visto desnuda a Thalia
- HOLA! TE RETO A CHECAR ESTAS FOTOS BIEN CHIDAS DE Thalia
- Fotos Exitantes de la cantante Thalia

Attach: Thalia.chm

An example of a "Talorm" email message:

The worm activates from infected emails only when a user clicks on the attached file. If this happens Talorm then installs itself to the system and runs its spreading routine.
The worm then overwrites a registry key with new text:
HKLMSoftwareMicrosoftWindowsCurrentVersion
RegisteredOwner = Thalia"

and displays the message:

Installing
While installing the worm copies itself to the Windows directory with the "Thalia.chm" name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Thalia = %WinDir%Thalia.CHM

Spreading: EMail
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in each victim machine's Outlook address book.
Spreading: IRC
The worm looks for the mIRC subdirectory in the "Program Files" directory and writes a new "script.ini" file to this location. This script file has instructions that send worm copies to every user who joins an infected IRC channel.

Home