Virus Database

I-Worm.Matcher

Description I-Worm.Matcher

This is an Internet worm spreading via e-mail attached as an EXE file. The worm itself is a Win32 executable file about 30Kb in length, written in Visual Basic.
The worm seems to be based on the "Melissa" macro-virus worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source.
When the worm EXE file is being run from an attachment, it sends infected messages and registers itself in a system to run each time Windows starts up.
To spread from an infected computer, the worm uses MS Outlook by obtaining addresses from the MS Outlook Address Book and sends messages there.
The message Subject, Body and Attachment appear follows:
Subject: Matcher
Body: Want to find your love mates!!! Try this its coolall Looks and Attitude Maching to opposite sex.
Attach: matcher.exe

To install into a system, the worm copies itself to the Windows system directory with the MATCHER.EXE name, and registers this file in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
%SystemDir%matcher.exe
where %SystemDir% is the name of the Windows system directory.
The worm also adds to the end of C:AUTOEXEC.BAT the commands:
@echo off
echo from: Bugger
pause
These commands display the "from: Bugger" message when system is booting up and processes the AUTOEXEC.BAT.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Illiteral

Description Macro.Word.Illiteral

This is an encrypted Word macro virus. It contains three macros in documents and four macros in NORMAL.DOT: AutoOpen, Nod(AutoClose), Tiberium(FileTemplates, ToolsMacro).
The virus infects the global macros area (NORMAL.DOT) on opening an infected document and writes itself to documents that are closed.
On Sundays as well as on entering the Tools/Macro menu the virus sets the password for documents that depends on the current time. The virus then displays the DialogBoxes:
Brotherhood of NOD
User error !!, replace User !!
Enter new user name here:
If User name not fill, your data will be delete !
Brotherhood of NOD
Okay
We need to restart Word First

Then the virus writes the text to the C:WINDOWSNOD.INI file:
/----------------------------------------------------------|Virus name: Brotherhood Of NOD |
|Origin : Indonesia, Yogyakarta |
|Author : Foxz NoMercy Members |
|URL : http://www.geocities.com/ResearchTriangle/3996 |
----------------------------------------------------------/
Dear <User>,all
You was distrub this virus! please dont doit again
Password For <filename> = <password>
I'm fair !!, I let you know the password for
Your document. Peace!! and Unity!!
--><--><--><--><--><--><--><--><--><--><--><--><--><--><--

Macro.Word.Imposter

Description Macro.Word.Imposter

This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It contains two macros:
in infected document: AutoClose, DMV
in infected NORMAL.DOT: FileSaveAs, DMV

While infecting the system the virus receives the control in AutoClose document, renames DMV macro to FileSaveAs, then renames AutoClose to DMV. While infecting the files (FileSaveAs) the virus renames these macros back DMV -> AutoClose, FileSaveAs -> DMV.
While infecting the documents the virus displays the MessageBox:
DMV

One of the strings in the virus body looks like follows:
just to prove another point

Home