Virus Database

I-Worm.PIF.Fable

Description I-Worm.PIF.Fable

This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine.
In infected systems, the worm can be found in three different forms:
- as a PIF file itself
- as a DOS BAT file spreading on a local computer
- as an INI script to spread through IRC channels
All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different.
The worm also drops a VBS-script file-helper to spread by e-mail.
After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT that then is executed as a DOS batch file. This batch file makes several more copies in different directories and with different names. There are more than 30 files, for example:
%WinDir%CommandMS_Dos_Prompt.pif
%WinDir%MS_Dos_Prompt.pif
%WinDir%Game.pif
%WinDir%MrBat.bat
%WinDir%Plans.bat
%WinDir%TasksDefault.bat
Some of these files have the attributes "Hidden" and "Read-Only." Separately, the worm creates INI files for mIRC clients and VBS-script files:
%WinDir%Blah.vbs
%WinDir%Blah2.vbs
C:mIRCScript.ini
C:Program FilesScript.ini
The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through API Outlook and creates and sends a message to every recipient in the Address Book. The message contains randomly chosen subject from the following texts:
Fable
Something You Should Read
Very Important That You Receive This
The body of the message consists of one of two phrases:
A nice little fable
Wanted to make sure you received this
The FABLE.PIF file is attached to every message.
After the messages have been sent, the worm takes out the text message:
The Grasshopper and the Owl An Owl, accustomed to feed at night and to sleep during the day, was greatly disturbed by the noise of a Grasshopper and earnestly besought her to stop chirping. The Grasshopper refused to desist, and chirped louder and louder the more the Owl entreated. When she saw that she could get no redress and that her words were despised, the Owl attacked the chatterer by a stratagem. "Since I cannot sleep," she said, "on account of your song which, believe me, is sweet as the lyre of Apollo, I shall indulge myself in drinking some nectar which Pallas lately gave me. If you do not dislike it, come to me and we will drink it together." The Grasshopper, who was thirsty, and pleased with the praise of her voice, eagerly flew up. The Owl came forth from her hollow, seized her, and put her to death.

Check other viruses! Be aware! Use Antiviral Software

Jovial Family

Description Jovial Family

These are not dangerous nonmemory resident parasitic viruses. They search for COM files, then write themselves to the end of the file. The virus code contains eleven junk bytes that are placed at different addresses, and while infecting a file the virus fills these bytes with NOP or HLT opcodes depending on random data. In some cases the viruses display the message:
HI MOM!!!!

The viruses also contain the text string:
JOVIAL KINDNESS BY yOUNG aDULT mALE
[NOP/HLT ENGINE 1.0]
*.COM

JS.ActiveXComponent

Description JS.ActiveXComponent

This is an MS Internet Explorer and Outlook security breach (com.ms.activeX.ActiveXComponent security vulnerability).
The security flaw allows remote scripts and HTML pages to access to any ActiveX control installed on a victim's computer. The remote script can gain full contol over a victim's computer, including the ability to read and write files on hard disks.
Trojan programs such as JS.Trojan.Seeker and JS.Trojan.Fav use this vulnerability to modify a browser's start and search pages and add unauthorized links to the "Favorites" folder of Internet Explorer.
Microsoft has released a patch that removes the com.ms.activeX.ActiveXComponent security vulnerability. We recommend visiting http://support.microsoft.com/support/kb/articles/Q275/6/09.ASP and installing this patch.

Home