Virus Database

I-Worm.Sober.g

Description I-Worm.Sober.g

This worm spreads via email and file-sharing networks as an attachment to infected emails. It is written in Visual Basic and packed using UPX. The packed file is approximately 47KB in size, but may be slightly larger, as the worm may write random data to the end of the file.
Installation
The worm is activated when the file attached to the message is opened.
Once launched, the worm causes a fake error message to be displayed:
File not found
Special-UnZip Data-Module
is missing
Open with Notepad?
Yes No
If the user clicks Yes, the worm opens Notepad. The open Notepad window contains nonsense text. Mydoom used a similar diversionary trick.
The worm then creates a copy of itself in the Windows directory, saving it under a name chosen at random from the list below:
sys
host
dir
expolrer
win
run
log
32
disc
crypt
data
diag
spool
service
smss32
This file is then registered in the system registry auto-run key:
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]" [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] "[random key name]" = "%System%[file name]"
The worm also creates a number of copies of itself and additional files and saves these under the following names in the Windows directory.
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
xdatxzap.zxp
datsobex.wwr
winzweier.dats
wincheck32.dats
winexpoder.dats
NoSpam.readme
Propagation
The worm searches local disks for files with the following extensions
abc
abd
abx
adb
ade
adp
adr
asp
bak
bas
cfg
cgi
cls
cms
csv
ctl
dbx
dhtm
doc
dsp
dsw
eml
fdb
frm
hlp
imb
imh
imh
imm
inbox
ini
jsp
ldb
ldif
log
mbx
mda
mdb
mde
mdw
mdx
mht
mmf
msg
nab
nch
nfo
nsf
nws
ods
oft
php
pl
pmr
pp
ppt
pst
rtf
shtml
slk
sln
stm
tbb
txt
uin
vap
vbs
vcf
wab
wsh
xhtml
xls
xml


harvests email addresses, and then sends infected messages to these addresses. The worm connects directly to the SMTP server to send messages.
The headers and text of infected messages are in German or English. The headers and text are chosen and combined randomly from several dozen texts.
The attachment will have a .pif or .zip extension, with a random name.
Other
The worm has the ability to download and launch files from the following sites:
home.arcor.de
people.freenet.de
home.pages.at
scifi.pages.at
free.pages.at

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Novosib.a

Description Macro.Word97.Novosib.a

This is Russian macro virus. It contains four macros:
Documents NORMAL.DOT
AutoOpen AutoOp
Fantom Fantom
Fuck FileOpen
AutoClose AutoClose

It infects the global macros area and documents on files opening. The virus contains comments and displays MessageBoxes in Russian.

Macro.Word97.Oetzi

Description Macro.Word97.Oetzi

It is a polymorphic virus. It contains eight macros in module "Modul1": AutoOpen, AutoClose, FileSaveAs, FileSave, ToolsCustomize, Mutate, Retro, Payload. It replicates on activation any of macros: AutoOpen, AutoClose, FileSaveAs, FileSave. The virus polymorphic engine inserts comments at random positions in the virus code.
The virus displays the Balloon:
Wichtig! Lesen sie folgendes genau durch:
He Bedienung! 5 Bier! Auch einen für diesen Schnapsgsicht daall. Danke!

The virus then displays the MessageBox:
W97M.Oetzi.A
Hallo, mein name ist Ötzi. Ihr könnt mich mal besuchen kommen. Für 8-9
Cuba Libre laß ich euch vielleicht gratis rein. UEO!!!
NEGSTE BUDE = 500m !!!!!!

It also erases the anti-virus files:
C:PC-Cillin 95Scan32.dll
c:pc-cil~1*.dll
C:PC-Cillin 95Lpt$vpn.*
C:PC-Cillin 97Scan32.dll
C:PC-Cillin 97Lpt$vpn.*
C:TscPC-Cillin 97Scan32.dll
c: scpc-cil~1*.dll
C:TscPC-Cillin 97Lpt$vpn.*
C:TBAVW95Tbscan.sig
c:Tbavw95Tb*.*
C:Tbavw95Tbavw95.vxd

Home