Virus Database

I-Worm.Quamo

Description I-Worm.Quamo

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57Kb in length, and it is written in Visual Basic Script.
The infected messages contain differing subjects, bodies and attached-file names that are randomly selected from the following variants:
Subjects:
Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

Bodies (one-line texts):
Hey you, take a look at the attached file. You won't believe your eyes when you open it!
You like games like Quake? You will enjoy this one.
Did you see the pictures of me and my battery operated boyfriend?

as well as (multiline texts):
My best friend,
This is something you have to see!
Till next time

Is Internet that safe?
Check it out

Attached file:

Infected file run
The worm activates from an infected e-mail only when a user clicks on the attached file, displaying the following:

At the same time, the worm installs itself to the system. In the event that the [Next] button is pressed, nothing happens (except installation of the worm's copies to the system), and the worm's application simply terminates. When the [Cancel] button is pressed, the worm starts its e-mail spreading routine.
Installing
While installing into the system, the worm creates the new directory C:EIRAM, and copies itself using the following names:
c:eiramquake4demo.exe
f:quake4demo.exe (if this drive exists)

and then registers these files in the Registry auto-run keys:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
"quake"="c:eiramquake4demo.exe"
"Q4"="f:quake4demo.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Q4"="c:\eiramquake4demo.exe"
"quake"="f:quake4demo.exe"

Later, while sending e-mail messages, the worm also may create more of its copies in the Windows directory:
honey.exe
quake4demo.exe
setup.exe

Spreading
The e-mail spreading routine is activated only when a user presses the [Cancel] button in the message box (see above).
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Payload
Upon each start, the worm activates its payload routine, which searches for the following files: *.exe, *.xls, *.doc, *.mdb, *.htm, *.html, *.txt, *.ocx and overwrites them with the following text:
You've didn't protected your files well enough
Let this be a lesson! Never trust someone else
eiram 1999-2001

Check other viruses! Be aware! Use Antiviral Software

Gallery.631

Description Gallery.631

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus does not manifest itself in any way, it contains the text string:
Art Gallery++

Galt.1574

Description Galt.1574

It is a harmless memory resident parasitic stealth virus. It traces and hooks INT 21h and then writes itself to the end of COM and EXE files that are accessed. The virus contains the text strings:
22/07/95
John Galt - RT Fishel

Home