Virus Database

I-Worm.MyPics.a

Description I-Worm.MyPics.a

This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 35Kb in length, and written in VisualBasic. The worm is transferred via the Net in e-mail messages with an infected attachment; the "Pics4you.exe" EXE file. The infected messages have no subject, and the message body contains the following text:
Here's some pictures for you !

The worm seems to be based on the Melissa macro-virus-worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source (see also I-Worm.BadAss worm description).
When an infected message is received and the attached EXE file is executed, the worm gains control, stays in the Windows memory as an MYPICS application (visible in TaskList), and runs its infection and trigger routines.
The infection routine opens the Outlook database, obtains e-mail addresses from the Address Book, and sends infected messages to the addresses found. The worm does not send messages twice from the same computer. To avoid duplicate spreading, the worm creates a system registry key, and checks it upon each start:
HKEY_CURRENT_USERSoftwareMicrosoftOffice "jpgs2?" = "all by sfkwnty"

The worm also creates its copy in the root of C: drive with the name "C:Pics4You.exe" and registers it in the system registry in auto-run section:
SOFTWAREMicrosoftWindowsCurrentVersionRun "Creative" = "C:Pics4You.exe"
SOFTWAREMicrosoftWindowsNTCurrentVersionWindowsRun "Creative" = "C:Pics4You.exe"

The worm also changes the default Web page by modifying the system registry key:
SoftwareMicrosoftInternet ExplorerMain
"Start Page" = http://www.geocities.com/SiliconValley/Vista/8279/index.html

The worm has a very dangerous payload routine. In 2000, it overwrites the C:AUTOEXEC.BAT files with two commands that format C: and D: drives. The worm also creates and runs the C:CBIOS.COM file that corrupts CMOS memory (erases the CMOS CRC field).
Other MyPics variants
There are several variants of this worm known at the moment:
"MyPics.b" aka "ICQ_Greetings"
"MyPics.c" aka "Video"

These worms are based on the original "MyPics", and they are very likely written by using the same source code. The differences are as follows(the original "MyPics" tests are also included):
Infected message subject:
"MyPics.a": Here's some pictures for you !
"MyPics.b": Season's Greetings
"MyPics.c": Here's a digital video for you

The file name of the worm copy in the attachment and on the C: drive:
"MyPics.a": C:Pics4You.exe
"MyPics.b": c:Icq_Greetings.exe
"MyPics.c": C:ip01.exe

Registry ID-key (HKEY_CURRENT_USERSoftwareMicrosoftOffice key):
"MyPics.a": "jpgs2?" = "... by sfkwnty"
"MyPics.b": "ppll1?" = "... by diejkdls"
"MyPics.c": "ppll1?" = "... by diejkdls"

The trigger routines are also different. "MyPics.b" resets the system settings:
"RegisteredOwner" = Mike Carmody
"RegisteredOrganization" = 2034 Langley Ct. Holloman Afb, NM 88330

"MyPics.b" in 2000 calls disk formatting instructions:
format d: /autotest /q /u
format e: /autotest /q /u
format a: /autotest /q /u
format f: /autotest /q /u
format u: /autotest /q /u
format b: /autotest /q /u

"MyPics.b" in 2000, and "MyPics.c" on the 17 of any month delete all files by the following masks:
c:*.c*
d:*.c*
c:WinNtSystem*.c*
c:WinNt4System*.c*
c:WindowsSystem*.c*
c:WinNtSystem*.o*
c:WinNt4System*.o*
c:WindowsSystem*.o*
c:WinNt*.i*
c:WinNt4*.i*
c:Windows*.i*

Check other viruses! Be aware! Use Antiviral Software

Pieces.1374

Description Pieces.1374

This is not a dangerous memory resident parasitic virus. It hooks INT 9, 13h, 21h and writes itself to the end of EXE files that are executed or opened. Depending on the number of keys that were pressed, the virus displays the message:
One of these days I'm going to cut you into little pieces

Pieck.2016

Description Pieck.2016

It's a not dangerous memory resident multipartite virus. On execution it checks the DOS version and infects MBR and installs itself into the memory under DOS 5.x and 6.x only. It hooks INT 12h, 13h, 1Ch, 21h and writes itself at the end of EXE-files are executed or opened.
On March, 3th it displays the message: "Podaj haslo ?", waits for "pieck" entry and displays "Pozdrowienia dla wychowankow Pieck'a." if "pieck" is entered, in another case it displays "Blad !".

Home