Virus Database

I-Worm.Runnelot

Description I-Worm.Runnelot

Runnelot is a worm virus spreading via the Internet as an attachment to infected emails. It also infects Win32 EXE files.
The worm itself is a Windows PE EXE file about 9KB in size when compressed by UPX; the decompressed size is about 20KB. It is written in Assembler.
The worm contains a "copyright" text string:
Runner "Pilot" 01/2003

Installing
While installing the worm writes its code to the Windows system directory with the "Runner.exe" name and registers that file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Runner = Runner.exe /auto /rsrc32.dll

Infecting EXE files
The worm looks for PE EXE files and writes itself to the beginning of these files. It looks for victim EXE files in directories located on local and network hard drives.
To release control to host the program the worm creates on disk a disinfected copy and spawns it. In case of an error the worm displays fake error messages:
Error of loading WIN32.DLL file

Loading incomplete. Correct work is not warranted!
Continue?

General error 1452 in KERNEL32.DLL

Program terminated

Spreading: EMail
To send infected messages the worm uses direct access to the default SMTP server. To get victim email addresses the worm looks for *.HTM* files, it also writes these email addresses to the "runner.dll" file in the Windows system directory.
The infected messages have different fields that are randomly constructed from several variants:
From: "%str1%%str2%"

where following strings are randomly selected from:
%str1% : Dmitry Eugene Igor Jhon Mark Bill Frank Sam Tim Brad Samuel Dean Tom Robert Mostovoy Losinsky Kaspersky Danilov Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor
%str2": @hotmail.com @yandex.ru @yahoo.com @newmail.ru

Subject: %subj1% %subj2%
where:

%subj1% :

Weclome to Pink World
Blacks on Blondes
New porno movies every day
TONS of porno movies
Fucking Wifes

%subj1% :

New FREE sex soft
FREE porno-soft
+ many FREE sex games

The body is randomly constructed from randomly selected text strings:
SUPERGAME! + Look as + fine + blonde
SEX SOFT! + hot mom
black hitchiker teen
dirty girl
amateur slut
petite babe
busty teen
wet secretary
wild wife


This is a free demo version, and we hope you want visit our web-site +
Please visit our web site +
+
WWW.EXPLOITEDPUSSY.COM
WWW.SLEAZYDREAM.COM
WWW.ALLHOTPORN.COM
WWW.TEENFILES.NET
WWW.ADULTMOVIESTATION.NET
WWW.DISCRETESEX.COM
+
to take more sex programs
to take full version


150 GIG OF DOWNLOADABLE MOVIES - FREE PASSWORD
HIGH QUALITY MPEGS - NEW SCENES EVERY DAY - 100k+ PICS TOO
Full lenght movies
THE BEST MOVIES ONLINE
HUGE archive of previous movies available! TONS of movies
+
Full screen quality
Ultra fast downloads
Updated every day
All in DVD quality
WEBMASTERS MAKE MONEY
GET FULL ACCESS TO OUR MEMBERS AREA FOR 30 MINUTES - FREE
GET YOUR 30 MINUTES FREE ACCESS
A new 150mb full lenght movie is added every day
+
Install NOW!!!
Installer in attach
Test our soft now!

or randomly selected from variants:
We presents to you ours new sex game as adversting
Install a locator of FREE sex movies of our site as adversting
Install porno screen saver as adversting
This is a new imitator as adversting

Attachment:
sexy + girls. + dll
hottest blonde.
cumshot pamela.
analsex lesbians.
oralsex teens.
asian virgins.
hardcore .
slut
doggy
sucking
messy

Payload
On February 13, March 7,16, April 21, May 8,18, June 11, July 3, August 29, October 30, November 5,26, December 11,30 the worm overwirtes all files in "Personal" folders ("My Documents", "History", "Cookies", e.t.c.).

Check other viruses! Be aware! Use Antiviral Software

Mep.295

Description Mep.295

It is a dangerous memory resident parasitic virus. It copies itself into the DOS data area at the address 0000:0535, hooks INT 21h and writes itself to the beginning of COM-files that are executed or opened. The virus has the bugs, and may corrupt the files while infecting them. The virus contains the text strings at the top of the file:
MEP

Mephisto.969

Description Mephisto.969

These are not dangerous parasitic viruses. They write themselves to the end of the file. Some of these viruses are encrypted ones.
"Mephisto.2,3,4" are nonmemory resident, they search for the files and infect them. Other viruses leave TSR copy and hook INT 21h to infect the files.
"Mephisto.2,3,5" infect .COM files only, "Mephisto.4,6" infect .EXE files only.
The viruses contain the text strings:
"Mephisto.3":
When you read this Text, your Computer has to be already DEAD.
My Name is NUMBER THREE but you will never see me againall

"Mephisto.4":
When you read this Text, your Computer has to be alreadyDEAD.
My Name is NUMBER FOUR but you will never seeme again...

"Mephisto.5.1235":
[NUMBER FIVE (Special) V 1.00] (?) Mephisto Switzerland*.pas

"Mephisto.5.1242":
ALL GOOD THINGS MUST COME TO AN END
This Virus is dedicated to the well known series
STAR TRECK NEXT GENERATION
that reached the end about three months ago...
[NUMBER FIVE] (?) Mephisto

"Mephisto.6":
ALL GOOD THINGS MUST COME TO AN END
This Virus is dedicated to the well known series
STAR TREK NEXT GENERATION
that reached the end about three months ago...
[NUMBER SIX] (?) Mephisto

"Mephisto.4.1134" displays:
" All good things must come to an end "

It also contains the text:
This is NOT Shareware. Please register you by Johnny Boy !!!
[NUMBER FOUR] (?) Mephisto

"Mephisto.5.510,615" display:
Resident Function will be carried out !!!

"Mephisto.5.1235,1242" also hook INT 1Ch, and depending on the system timer they drop the letters on the screen.
Mephisto.921
It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for C:DOSDOSKEY.COM, C:DOSEDIT.COM, and COM files of current directory, then writes itself to the end of the file. Depending on the system timer that virus drops the "ASBV" boot virus to the MBR of the hard drive.
The virus contains the text string:
[Swiss'94] Mephisto
c:dosdoskey.com c:dosedit.com *.com

Home