I-Worm.Sint
Description I-Worm.Sint
This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 30K of length. The worm is written in Visual Basic language.
When the worm is run it copies itself to Windows directories with the names:
C:WindowsVicevi_teza_odvala.txt.exe
C:windowssystemVicevi_teza_odvala.txt.exe
The second file is then registered in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sintesys = c:windowssystemVicevi_teza_odvala.txt.exe
The "C:Windows" directory name is hardcoded in worm code, so it is not able to affect the system in case Windows directory name is not like that one.
The worm also copies itself with the same name to root directories of all available logical drives (local or remote).
The worm then connects to MS Outlook by using MAPI functions, gets all addresses from Address Book and sends messages to all of them. The messages have:
Subject: Vicevi!
Attach: Vicevi_teza_odvala.txt.exe
Text body is randomly selected from four variants:
Cao! Izvini sto te uznemiravam ovako, ali evo saljem ti neke viceve koji cete sigurno oraspoloziti!
Vozdra! Evo pogledaj ove viceve koje sam i ja dobio neki dan! Pravo su smijesni!
Cao korisnice! Znam da sigurno nemas vremena da pogledas ove viceve koje ti saljem. Nadam se da ces imati vremena da ih pogledas!
Zdravo! Nemoram ti nista pricatiallsamo pogledaj ovu veliku kolekciju viceva ;)
To hide its activity the worm displays the fake error messages:
Check other viruses! Be aware! Use Antiviral Software
Sarcoma.1328
Description Sarcoma.1328
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. While installing memory resident the virus also infects the C:COMMAND.COM file. The virus then opens the C:CONFIG.SYS file, looks for "SHELL-" command in there and infects corresponding file, if it exists.
The virus does not manifest itself in any way. It contains the text string:
'COMPUSARCOMA' virus by M.S.S.
Sarov.1000
Description Sarov.1000
This is a harmless memory resident parasitic polymorphic virus. It hooks INT 1, 8, 9, 21h and writes itself to the end of COM files that are accessed with DOS calls FindFirst/Next. By hooking INT 1 (tracer) the virus disables the tracing their code. By hooking INT 8 (timer) the virus change the floppy disk status, and calls the keyboard effect: by hooking INT 9 the virus 'skips' some keys that are pressed. The virus contain the text stings:
BIL`92`S
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Puder
Argumentative Essay
Skorstensfejarmästare
S-g HedstrÖm Transporter
|