Virus Database

I-Worm.Music

Description I-Worm.Music

This is an Internet virus-worm written in VisualBasic. It is a three-component Windows EXE file that spreads via e-mail. The worm has an entertaining payload to hide its main activity: it displays a Christmas scene and plays a tune. The infected message's Subject and Text are:
Subject: Testing to send file
Text: Hi, just testing email using Merry Christmas music file, not bad music.
or:
Text: Hi, just testing email using Merry Christmas music file, you'll like it.
The worm has three components: Dropper, Sender and WinSock library.
1. The worm dropper is sent attached to e-mails. When it is being run, it copies itself to the Windows system directory with SYSMCM.EXE and registers in the auto-run registry key, as well as plays a tune and displays pictures to hide itself.
This worm component doesn't send any messages. To spread further, the worm connects to Internet sites and obtains the rest of its components from there, and copies to the Windows directory with the names: SYSDRV.EXE and SYSTMP.DLL.
2. Second worm component (Sender), is obtained from an Internet site and copied to the Windows system directory. It then obtains e-mail addresses from the Windows Address Book and sends infected messages (with a Dropper attached) there.
3. WinSock library is a standard MS Visual Studio DLL library that is used to access Windows sockets.
The worm is able to upgrade its components from an Internet site: it downloads three files from there (that are supposed to be its plugins), detects their versions, and if these versions are above those currently used, the worm replaces its components with new ones. So the worm is able to change its functionality depending on its author needs.
The worm creates a new registry key to run itself upon each Windows startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SysDrv = %SystemDir%sysmcm.exe
It also creates one more key where it stores its internal data:
HKLMSoftwareMicrosoftMCM
FirstRun
LastRun
RunMCM
Status
SMTP
Version = 001111

Check other viruses! Be aware! Use Antiviral Software

Christmas.1539.a

Description Christmas.1539.a

This virus is not memory-resident, is very dangerous and encrypted. It bypasses subdirectories pointed in the "PATH=" command, and hits .COM-files (except IBMBIO.COM and IBMDOS.COM) it has found. The virus writes itself to the file beginning. On April 1st, it writes a small program into the MBR of the hard disk and into the Boot-sectors of floppies. Upon reboot, this routine displays the following text: "April, April all". From the 24th to the 31st of December, it displays a Christmas tree and the following text in German:

***
*****
*******
*********
***********
*************
***************
*****************
*******************
*********************
***********************
*************************
***************************
*****************************
___
___
___
-----------------------------------------------------------
Und er lebt doch noch : Der Tannenbaum !
Frohe Weihnachten ...

Christmas.1694

Description Christmas.1694

Christmas.1694 is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of EXE-files that are executed. From November 24th till the 26th, it also hooks INT 8 (timer), and then displays the following message and plays a tune:
Merry Christmas and happy new year ! Written from Tamsui Oxford college.

Home