Virus Database

I-Worm.Peach

Description I-Worm.Peach

This internet worm spreads via e-mail messages and sends itself from infected PCs when it is activated. It uses Microsoft Outlook mailing system for sending itself to recipients, whose e-mails are stored in Outlook Address Book.
The worm is written in Visual Basic Script (VBS) programming language. It works only under operating systems with Windows Scripting Host installed (WSH is installed by default in Windows 98 and Windows 2000).
The worm uses a PDF file as a host. The virus code is included in that file as an embedded object, and the worm can be activated only manually.
When a PDF file is opened by the Adobe Acrobat program, (the worm doesn't work in Acrobat Reader), a user is offered to play a simple game, which is stored in an embedded object.
After the embedded object is activated, the Adobe Acrobat (http://www.adobe.com/acrobat) program extracts VBS code, writes it to a tempopary folder and launches it.
The virus code creates a JPG file on a disk and shows it using Internet Explorer.
Then, the worm tries to find its host PDF file on the disk, and if it finds the file, sends it to recipients specified in Outlook Address Book.
For sending itself, the worm randomly chooses an attachment name, message subject and body.
The message subject can contain the following strings:
"You have one minute to find the peach"
"Find the peach"
"Find"
"Peach"
"Joke"
The subject can also contain the "FW:" prefix and an exclamation mark at the end of it.
The message body is assembled from the following sentences:
"Try finding the peach"
"Try this"
"Interesting search"
"I don't usually send this things, butall"
The attachment name may be the following:
"find.pdf"
"peach.pdf"
"find the peach.pdf"
"find_the_peach.pdf"
"joke.pdf"
"search.pdf"
The worm uses a very complex algorithm for sending itself, sometimes resulting in the worm not sending itself at all.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Hikmat

Description Macro.Word.Hikmat

This is an encrypted macro virus. It contains two original macros that have different names in infected documents and NORMAL.DOT:
Documents NORMAL.DOT
AutoOpen FileSave
FileSaveAs FileSaveAs

The virus infects the system and documents on opening and saving files. It creates a new variable in infected documents:
Dzutaqshiri = (c)Hikmat Sudrajat, Bandung, April 1996

In some cases (on error while infecting a document?) it prints the message to the status line:
This command is not available because a document window is not active

Macro.Word.Hilight

Description Macro.Word.Hilight

This is an encrypted macro virus. It contains two macros that have different names in documents and NORMAL.DOT:
Documents NORMAL.DOT
AutoOpen AutoExec
PrezentIt FileSaveAs

The virus infects the system on AutoOpen call and writes itself to documents on FileSaveAs call. The virus creates a counter in system profiles (WIN.INI) file:
[WINDOWS]
Count=0

The virus increases this counter on each AutoExec, and when the counter reaches 10, the virus changes the Windows palette colors.

Home