Virus Database

I-Worm.Plan

Description I-Worm.Plan

This is a variant of IWorm_LoveLetter Internet worm, it spreads in the same way as "LoveLetter" worm does.
The worm uses different variants of message subject and body. They may be empty or contains the texts:
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
Message: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
The subject and message body may be also randomly generated, the result looks like follows: "JUIEDO", "TIPOWU", "RESEAU", "HIKOGU", e.t.c.
The attached file name is also randomly constructed (in the same way as above) and has one of possible extensions:
".GIF.vbs"
".BMP.vbs"
".JPG.vbs"
Being activated the worm installs itself to the system. It copies itself to Windows directory with " eload.vbs" name, to Windows system direcory twice with "LINUX32.vbs" and random constructed name, and registers first two files in system registry auto-run section.
The worm also drops HTML file with "US-PRESIDENT-AND-FBI-SECRETS.HTM" name, but does not use it in any way.
The worm then connects MS Outlook and spreads to all addresses listed in address book. It then affects files on all drives, the list of affected extensions looks like follows:
VBS VBE JS JSE CSS WSH SCT HTA JPG JPEG MP3 MP2
The worm also downloads files from Web site:
http://members.fortunecity.com/plancolombia/macromedia32.zip
http://members.fortunecity.com/plancolombia/linux321.zip
http://members.fortunecity.com/plancolombia/linux322.zip
The first file is just a plain text, two other files are pictures in BMP format. It then moves these files into Windows directory with the names:
macromedia32.zip -> important_note.txt
linux321.zip -> logos.sys
linux322.zip -> logow.sys
and replaces two standard Windows logos as a result.
The worm has a payload routine that is activated on September 17th. That routine unmaps all network drives and displays the message:
Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. [random] (M.H.M. TEAM)
where "random" is five letters random word.
The worm also contains comments in its body:
===============================================================================================
"Plan Colombia" virus v1.0
by Sand Ja9e Gr0w (www.colombia.com)

Dedicated to all the people that want to be hackers or crackers, in Colombia
This program is also a protest act against the violence and corruption that Colombia livesall
I always wanting that all this finishes, I have said...


Santa fe de Bogotá 2000/09
I dedicate to all you the song "GoodBye" of Andreas Bochelli
=================================================================================================


Thanks God..!
A greeting for "Lina María" from "Santa fe de Bogotá"
A greeting for "Tizo" from "Spain"
And One kicked of tail to my friends, "eL ChE" and "ThE SpY"

Check other viruses! Be aware! Use Antiviral Software

Grapje.1039

Description Grapje.1039

It's a non memory resident very dangerous virus. It hits the .COM-files at their beginning. The files can be infected incorrectly. These files are not recoverable and hang-up computer while running. This virus types: "GRAPJE!!" and contains the text strings: "*.COM", "*.*".

Gratug.482

Description Gratug.482

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. Depending on the system date it decrypts and displays the string:
GratuQ

Home