Virus Database

I-Worm.Lucky

Description I-Worm.Lucky

This is a family of Internet worm that spread via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook and send themselves to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses are maintained in the MS Outlook contacts list.
There are two worm variants known. Both have bugs in their code and are not able to spread, but these bugs can be easily fixed by a hacker.
The worms are written in the scripting language "Visual Basic Script" (VBS), and they work only on computers on which the Windows Scripting Host (WSH) is installed. In Windwos 98 and Windows 2000, WHS is installed by default. To spread, the worms access MS Outlook and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Oulook versions is installed.
Spreading
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:
The Subject: Prinz Charles Are Die
Message body: The newest Message for Cool User's. Lucky2000
Attached file name: COOL_NOTEPAD_DEMO.TXT.vbs
Depending on system settings, real extension of an attached file (".vbs") may not be shown. In this case, the filename of the attached file is displayed as "COOL_NOTEPAD_DEMO.TXT".
Upon being activated by a user (by double clicking on the attached file), the worm dispalys the following message:
eXposed
eXposed is being installed
Then it creates a shortcut on the desktop to a PIF-file that exits Windows. The worm sets a shortcut icon to a non-existing file, so the shortcut has a standard icon - a windows flag with white background. After this, the worm displays the following message:
CLICK THE BLUE BOTTLE ICON ON THE DESKTOP OR YOUR HARD DRIVE WILL BE LOST!
eXposed IS A VIRUS IT WILL DAMAGE YOUR COMPUTER
Then the worm begins speading - it opens MS Outlook, gets access to the Address Book, gets all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
The worm also installs itself into the system. It creates its copy in the Windows directory with the "Prinz_Charles_Are_Die.TXT.vbs" name:
This file is then registered in the Windows auto-run section in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunPrinz_Charles_Are_Die = Prinz_Charles.Are.Die.TXT.vbs
As a result the worm is re-activated each time Windows boots up.
Other variants
The worm itself is a text script program, and it is spread in text source form. The worm's code may be easily modified by hackers, and as a result, there are many variants of the worm that may have appeared. Usually only minor changes are made.
I-Worm.Lucky.b
This worm variant is very close to the first one. Upon being activated, it displays other messages:
Price
Price are here
and:
CLICK THE BLUE BOTTLE ICON ON THE DESKTOP AND YOU WIN ONE MILLION DOLLAR !!!
The infected message contains:
The Subject: Won_a_Price
Message body: One Million Dollar for you. Lucky2000
Attached file name: Won_a_Price.TXT.vbs

Check other viruses! Be aware! Use Antiviral Software

Exterminate

Description Exterminate

It's a not dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. Depending on system date it hooks INT 9 (keyboard) also and waits for some string to be entered (that string and the message is partly corrupted), then the virus displays the message:
--Exterminate--- virus from "Divide by 0" group
Written by A.B.C. launch:17.03.94
Members of D.B.0. group

Exterminator.429

Description Exterminator.429

This is a dangerous non memory-resident virus which overwrites all the COM files in the current directory. It can erase the sectors of logical disks. It contains the text strings:
*.COM
Exterminator 1.0 - (c) by Cracker Jack 1991 (IVRL)
Italian Virus Research Laboratory (C) 1990,1991
Message to Virus Researchers:
Non rompetemi le palle o mi arrabbioall
non so se sono stato abbastanza chiaro.....
Exterminator Virus 1.0 (c) by Cracker Jack 1991 (IVRL)
No panic...this is a Harmless Virus...

Home