Virus Database

I-Worm.Shatrix

Description I-Worm.Shatrix

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm also spreads over a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb in length, and is written in Delphi.
Infected messages contain:
Subject: FW:Shake a little
Body: Hi !
This will shake your world :-)
Regards,
%username%
Attachment: SHAKE.EXE

Where %username% is the name of the infected-machines's user.
The worm is activated from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
While installing, the worm copies itself to the Windows system directory with a random name, and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SystemInfo = %worm file name%
To send infected messages, the worm uses MS Outlook MAPI. To obtain victim addresses, the worm looks for and scans the following files:
*.asp *.html *.htm
Depending on the system date, the worm creates random directories, and drops HTML files with texts randomly constructed from the following strings:
MatriX is out there
MatriX has Youall
MatriX is All around You
01001101011000010111010001110010011010

Check other viruses! Be aware! Use Antiviral Software

Naka.509

Description Naka.509

It is not a dangerous nonmemory resident parasitic virus. It searches for .EXE files in the current directory, then writes itself to the end of the file. Depending on the system date the virus manifests itself in different ways.
On March 14 it displays the text "Birthday", beeps by the PC speaker and halts the system. On each 4th day starting from 3rd (3,7,11,15,etc) the virus writes the byte A4h to the CMOS memory at the address 40h (depending on different types of BIOS this byte has different means). On any day, in case the system date year is not 1999, the virus displays the text "Naka_007". The virus contains the text string:
Sebastopol IVS007

Nameless.3000

Description Nameless.3000

It is a very dangerous memory resident encrypted parasitic virus. It traces INT 13h and INT 21h, hooks INT 21h, 2Fh, disinfects and executes the host program, and then stays memory resident. On DOS calls Close, Create, GetDiskSpace (INT 21h, AH=3Eh, 3Ch, 36h, 5Ah, 5Bh) the virus searches for .COM and .EXE files, then writes itself to the beginning of the file. If the file size is less than 8000 bytes, the virus increases the file size up to 8000 before infecting. While executing or opening an infected file the virus disinfects it.
Depending on its internal counters and the system time the virus corrupts the random selected disk sectors. The virus also runs a routine that erases the disk sectors and displays the counter of erased tracks (the counter runs backward).
The virus contains text strings in Russian and:
ABCDEFGHabcdefghCOMMAND
Nameless virus v.2.0
U my last hopeall Please...
*.COM *.EXE

Home