I-worm.Mydoom.ab
Description I-worm.Mydoom.ab
Mydoom.ab is another Mydoom.a variant. It spreads as an attachment in an infected email. The worm send copies of itself to all addresses in the local address book.
Mydoom.ab is a Windows PE EXE file and is about 32 KB - packed by UPX.
Installation
Upon installation Mydoom.ab creates a file named lsasrv.exe in the Windows system registry and creates the following registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"lsass" = "%System%lsasrv.exe"
The worm also creates a file named version.ini in the Windows system folder.
Other
Mydoom.ab attempts to block the work of a number of firewalls.
Check other viruses! Be aware! Use Antiviral Software
BootExe.331
Description BootExe.331
This is memory-resident harmless virus which hooks INT 13h and writes itself into EXE files and boot sectors of disks. The boot sector of the hard disk get infection when an infected file is started, the boot sector of floppies - during a reading from them. The original boot sector is saved on the hard disk at the location 0/0/11 (head/track/sector), on a floppy - at the location 1/0/3.
EXE files are infected in quite an original way: the virus analyzes the information read from the disk (INT 13h). If in the sector read from the disk there is an EXE file header (the first two bytes are 'MZ' and some conditions are also met) the virus writes itself into empty space in this header and saves the modified sector on the disk. It means: a) an infected file has the same length; b) no necessity to handle file attributes and time of its creation and fatal errors (INT 24h). The virus doesn't manifest itself in any observable way.
BootExe.Stalker.310
Description BootExe.Stalker.310
This is memory-resident harmless virus which hooks INT 13h and hits MBR of hard drive. After infection of hard drive the computer hands. After loading from infected hard drive the virus starts to infect EXE files.
EXE files are infected in quite an original way: the virus analyzes the information read from the disk (INT 13h). If in the sector read from the disk there is an EXE file header (the first two bytes are 'MZ' and some conditions are also met) the virus writes itself into empty space in this header and saves the modified sector on the disk. It means: a) an infected file has the same length; b) no necessity to handle file attributes and time of its creation and fatal errors (INT 24h). The virus doesn't manifest itself in any observable way.
It contains the encrypted string:
*Stalker*
|