I-Worm.Merkur
Description I-Worm.Merkur
This is the worm virus spreading via the Internet being attached to infected emails, through P2P networks and IRC channels. The worm itself is a Windows PE EXE file about 45Kb of length written in Visual Basic.
The infected messages have following fields:
Subject: Update your Anti-virus Software
Attach is randomly selected from three variants:
AVupdate.exe
taskman.exe
uninstall.exe
Body:
Here is a patch for your AV software, it will cover all the latest out breaks of worms ect
(worms as in virus not earth worms! lol)
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to the system with following names:
c:WINDOWS askman.exe
c:AutoExec.exe
c:WindowsSystemAVupdate.exe
c:Program Filesuninstall.exe
c:WindowsNotepad.exe
c:windowsscreensaver.exe
The "AVUpdate.exe" is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AVupdate = c:WindowsSystemAVupdate.exe
All directory names are hardcoded in worm body, thus it fails to copy itself and infect the system in case there are not such directories as "C:Windows", e.t.c.
Spreading: Email
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: IRC
The worm creates new "c:mIRCscript.ini" and "c:mIRCProgram Filesscript.ini" files and writes IRC commands to there that send the message to anybody who joins infected channel:
Hi want a cool screen saver?
and then send the worm copy with the "screensaver.exe" name.
Spreading: P2P
To spread through P2P networks the worm affects following Kazaa, eDonkey and BearShare directories by copying its copies into there:
c:program fileskazaamy shared folderIPspoofer.exe
c:program files�earsharesharedIPspoofer.exe
c:program fileseDonkey2000incomingIPspoofer.exe
c:program fileskazaamy shared folderVirtual Sex Simulator.exe
c:program files�earsharesharedVirtual Sex Simulator.exe
c:program fileseDonkey2000incomingVirtual Sex Simulator.exe
Trojan Routine
The worm also has trojan routine, that deletes all files:
*.jpg, *.mpg, *.bmp, *.avi
in directories:
C:Program FilesKazaaMy Shared Folder c:program files�earshareshared c:program fileseDonkey2000incoming
To do that the worm drops trojan commands to c:pr0n.bat DOS batch file, executes it, and then deletes it.
Other
The worm displays message boxes:
on December 31st:
Win32.mercury@mm
allSaving the world before bed time...
on February 16th:
Win32.mercury@mm
...Win32.mercury Coded by Industry @ ANVXgroup...
on April 2nd:
Win32.mercury@mm
...Shout out to Every one @ Indovirus...
Check other viruses! Be aware! Use Antiviral Software
Neko.1990
Description Neko.1990
This is a memory resident parasitic polymorphic virus. It traces INT 13h and 21h, hooks INT 21h and writes itself to the end of EXE files that are executed. On Tuesdays it overwrites files with a program executed displaying:
Hi! My name is Neko.
It is a Japan name.
When you see me , please do not worry.
New i am a very kind and cute virus.
I only kill your this file.
But next time i will kill you all.
I will be com back and become fierce.
Neko version 1.0
Neko.2697
Description Neko.2697
This is a memory resident parasitic polymorphic virus. It traces INT 13h and 21h, hooks INT 21h and writes itself to the end of EXE files that are executed. On Tuesdays it displays the following:
Dear Mrs.Grandy:
Aloha!
It is me,Neko again! This is the lastest version 2.0
Undoubtedly,I am not what I was.
Let me tell you something about my improvement.
I work with the Antilogic Engine I.
It is a new invention.So,
Showtime! Neko version 2.0
Made by Metal Satan
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Biloppretting
Sms Gratis
Used Walk Behind Scrubber For Sale
CLAY TECHNOLOGY LUND AKTIEBOLAG
Andersson, PÄr
|