Virus Database

I-Worm.Pepex.a

Description I-Worm.Pepex.a
"Pepex" is a worm virus spreading via the Internet as an attachment to infected emails and also through the Kazaa network and IRC channels.
The worm itself is a Windows PE EXE file about 32KB in length (when compressed by UPX, the decompressed size is about 80KB). "Pepex" is written in Microsoft Visual C++.
Infected messages have the following message field attributes:
From: "Microsoft" < information@microsoft.com >
Reply-To: "Microsoft" < microsoft@microsoft.com >
Subject: Internet Explorer vulnerability patch
Body: You will find all you need in the attachment.
Attach: setup.exe

The worm activates from infected emails only when a user clicks on the attached file. 'Pepex' then installs itself to the system and runs its spreading routines.
Installing
While installing, the worm copies itself to the Windows system directory with the winsys???.exe name (where '???' is a random three-digit number) and registers this file in the system registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Windows task32 sys = %SystemDir%winsys???.exe

Above, %SystemDir% represents the Windows System directory path.
The worm then creates a ZIP archive with its "winsys???.exe" copy inside. The archive is created with the help of the WinZip32 utility (if it is installed). The archive name is "win32sys???.zip" (where '???' is the same random number). This archive is used later to spread through IRC channels.
The worm also creates a system registry key to mark already infected systems:
HKEY_LOCAL_MACHINESoftwareRedCell
infected = yes
The worm also looks for active processes that have "AV" or "av" letters in their names (anti-virus programs) and tries to terminate them.
Spreading: EMail

To send infected messages the worm uses a direct connection to an SMTP server (if it is registered), or to the "smtp.barrysworld.com" server. To get victim emails the worm scans files with the ".htm" extension in the "Temporary Internet Files" directory. While spreading the worm also creates a file named C:Msbootlog.sys to where its MIME encoded copy is written.
Spreading: IRC

The worm creates the SCRIPT.INI file in mIRC directory and writes a command to it. This command sends infected "win32sys???.zip" file (see above) to IRC users that join infected channel.
Spreading: Kazaa

The worm copies itself to Kazaa directory with a randomly selected name:
icq2002.exe
wincrack.exe mirc6.exe

Other
After installation the worm displays a fake error message:

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Wnw

Description Macro.Word97.Wnw

This macro virus contains seven macros and functions in single module "WNW": AutoExec, AutoOpen, FileSaveAs, WNWP, FileTemplates, ToolsMacro, ViewVBCode. The virus infects the global macros area on opening an infected document. Other documents get infected on opening or saving with a new name.
On Saturdays and Sundays, the virus displays the warning messages:
On est Samedi, aujourd'hui
Je ne travaillerai pasall
On est Dimanche, aujourd'hui
Je ne travaillerai pas...

Depending on the number of such messages, the virus performs several destructive operations (see below). The counter of these messages is stored in the WINWORD8.INI file in the [WNW] section in the Total item.
On the 10th message, the virus displays the MessageBox:
Virus WNW
Vous jouez avec le feu...

and deletes the files: C:WINDOWSBUREAU*.LNK and C:WINDOWSMENU DãMARRER*.*
On the 20th message, the virus displays the MessageBox:
Virus WNW
Je vous avais prÊvenu...

and deletes the files:
C:Windows*.ini
C:Autoexec.bat
C:Config.sys
C:Msdos.sys
C:Io.sys

On the 30th message, the virus displays the MessageBox:
Virus WNW
Vous l'aurez voulu!!!!

and formats the C: drive.
On these days, the virus, depending on the system random counter, also either displays the MessageBox:
Virus WNW
Au revoir...

or draws the text in the header line of Word window:
Je ne veux pas travailler ce weekend, donc, je vais vous en empËcher...

Macro.Word97.Xute

Description Macro.Word97.Xute

The virus contains one macro "AutoClose" in module "Xute". It replicates on closing documents by exporting/importing its code through the C:XUTE.DAT file. On July 26th, or if the sum of the day and month numbers is equal to 30, the virus executes the file deleting command "DELTREE /Y *.*".
All text constants (export file name, DELTREE command etc.) are stored in the virus code in encrypted form. In case of need, the virus decrypts and uses them.

Home