Virus Database

I-Worm.Myparty

Description I-Worm.Myparty

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++.
Infected messages appear as follows:

The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine.
Installing
While installing, the worm copies itself to: c: egctrl.exe - under Win9x/ME
c: ecycled egctrl.exe - under WinNT/2K/XP

and spawns this copy. When the worm's file name is not ".com" (as in the attachment), but rather ".exe" (the worm is re-named), it also opens the Web page "http://www.disney.com".
The original file (as it was run from an infected e-mail) is moved to the Recylced or Recycler directory with one of the following names:
C:RECYCLERF-%1-%2-%3
C:RECYCLEDF-%1-%2-%3

where %1, %2, %3 are randomly selected numbers, for example:
F-12158-19044-21300
F-27729-23255-31008

While installing, the worm checks the keyboard layouot set, and when there is Russian keyboard support, the worm copies itself to Recycled/Recycler in the same way and exits. This is the same on any date except for 25-29 January 2002.
As a result, the worm works only from 25 until 29 January 2002, and only on machines without Russian keyboard support.
Spreading
To send infected messages, the worm uses a direct SMTP connection to an e-mail server. To obtain a victim's e-mail addresses, the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express).
The worm also sends one e-mail (without an attachment) to "napster@gala.net".
Backdoor
Under WinNT/2000/all the worm also creates a new file in a user's auto-run directory:
%Userprofile%Start MenuProgramsStartupmsstask.exe
and writes a backdoor program to there. This backdoor is run by data that are stored in a file at the Web site "http://209.151.250.170".
Known Variants
Myparty.b
This one is a slightly modified 'a' version. The differences are:
The attached file name is "myparty.photos.yahoo.com".

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Claw.2513

Description IRC-Worm.Claw.2513

This is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files when they are accessed. Then it looks for COM and EXE files in the current directory and infects them. The virus also creates a hidden file in the root directory on the C: drive, writes its copy to there and adds to the AUTOEXEC.BAT an instruction to execute this file. The virus then infects WIN.COM and COMMAND.COM in the Windows directory.
To infect mIRC and spread via IRC channels, the virus creates two files in the C:MIRC directory: the MIRC_SYS.INI virus script file and DOS COM virus dropper CYBER.COM. Then it patches the MIRC.INI file with an instruction to load infected MIRC_SYS.INI file on IRC client start-up. The virus script switches off mIRC security (warning messages) and sends the virus dropper into the IRC channel at the moment a user disconnects from the channel.
On September 1st, depending on a random value, the virus erases the FLASH BIOS. To do this, the virus calls extended BIOS functions.
When the virus dropper starts, it displays the texts:
Clawfinger

The virus also contain encrypted strings:
Do you know how it feels to be down in the dirt with a bullet
in yer breast and blood on yer shirt Lying in a bloodpool down
in a pit covered with the corpse and the blood and the shit
How does it feel to have a gun at yer head when ya know that
you'd be much better off dead Freedom has a price and that price
is blood so chase the motherfucker right down in da mud
[ WARFAIR - CLAWFINGER ]

IRC-Worm.Crack.a

Description IRC-Worm.Crack.a

This is a silly IRC worm spreading through IRC channels by using mIRC client. The worm itself is Win32 executable file about 3K of length (that is compressed executable file, being decompressed it gets about 10K of size).
When the worm file is run, it copies itself to Windows directory with CRACK.EXE name and affects mIRC client. The worm looks for mIRC client in two directories:
C:MIRCD:MIRC
While affecting the worm overwrites the SCRIPT.INI file with a set of commands that send the CRACK.EXE file (worm code) to users that join infected channel.
The SCRIPT.INI file on connecting to IRC server also joins "vxers" and "cservice" channels and sends the messages to there:
To "vxers":
I'm wide awake in my kitchen, it's dark and I'm lonely, oh if I could
only get some sleep.. Creeky noises make my skin creep. I need to get
some sleep.. I can't get no sleepall.
To "cservice":
PLEASE join #vxers, and visit http://www.shadowvx.com/4Q and
http://www.shadowvx.com/fun4vxers .. We're the best!

Home