Virus Database

I-Worm.Stopin.a

Description I-Worm.Stopin.a

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, decompressed size is about 85K), written in Borland C++.
Infected messages contain:
Subject: Secret for youall
Body:
Hi Friend,
I send you my last work.
Mail me if you have some suggests.
See you soon. Best Regards.
Attachment: My_Work.exe

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory with the MSGDI32.EXE name and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft GDI 32 bits = %SystemDir%MSGDI32.EXE
The worm then displays a fake error message and exits:

While installing, the worm also looks for and terminates the following applications:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE

Spreading
Upon next start-up (being run by Registry "Run=" key), the worm activates its e-mail spreading routine. To send infected messages, the worm uses Win32 MAPI functions. To get victim e-mail addresses, the worm looks for and scans the following files:
*.HTM
*.HT*
*.DOC

Payload
On the 7th of any month, the worm displays the following message:

On the 11th of any month, it displays the following text:
Can we try to stop the conflicts ? YES OF COURSE !'
On the 28th, it creates the "StopIntifada.htm" file, writes the following text to there and opens it:
Stop Violence between Palestinians and Israeli
HOW TO STOP THE VIOLENCE
-THE ISRAELIS:
To take the israelis tank out of the palestinians autonomous city.
Don't bomb civil place after a terrorist bomb attack.
To arrest and to kill the leaders of terrorist groups.
-THE PALESTINIANS:
To stop to provoke the israelis army.
To stop the terrorist attacks.
-THE BOTH:
To try to accept the other people.
TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
Thanx to read this.

Check other viruses! Be aware! Use Antiviral Software

Supervisor family

Description Supervisor family

These are not dangerous(?) memory resident parasitic viruses. They hook INT 8, 9, 21h, 28h and write themsleves to the end of .COM and EXE files that are executed or opened, "Supervisor.1256,1448" infect .COM files only, "Supervisor.2221" infects both COM and EXE.
The viruses manifest themselves with some video effect. In some cases they perform several Novell Netware calls (to obtain the netware passwords?). The viruses contain the text strings:
SERVER SERVER SECURITY_EQUALS SERVER PASSWORD
SERVER SECURITY_EQUALS SUPERVISOR
MsDos

Susan.571

Description Susan.571

It is a very dangerous memory resident virus. Being executed it displays "Bad command or file name", then hooks INT 2Fh and overwrites .EXE files on DIR command calls. While infecting a file the virus uses several not documented DOS functions. Sometimes it deletes the files instead of infecting them. It also contains the text strings:
Susan
*.EXE
DIR

Home