Virus Database

I-Worm.Suppl

Description I-Worm.Suppl

This is a virus-worm that spreads via Internet channels attached to e-mail messages as the SUPPL.DOC MS Word97 document. It was posted to several newsgroups in September 1999. This document was created by using the Russian MS Word97 edition, which means that the worm has Russian or xUSSR origin.
To install itself to the system, the worm uses a method that does not work under WinNT, and as a result, the worm is able to infect and spread itself from Win9x systems only.
The worm has a very dangerous payload: in one week after infecting a computer, the worm erases, on local and remote drives, the files with the following extensions:
DOC XLS TXT RTF DBF ZIP ARJ RAR

The method of erasing is the same that was used by "ZippedFiles" worm, and damaged files are not recoverable.
Installing
The infected document has just one macro Document_Open that is automatically executed when MS Word opens the document. This macro copies its document to the Windows system directory with the ANTHRAX.INI name, then drops its DLL component (that is stored in the infected document) to the same directory with the DLL.TMP name. This DLL component is dropped via a compressed temporary DLL.LZH file.
The worm then adds renaming instructions to the WININIT.INI file. These instructions rename the WSOCK32.DLL with WSOCK33.DLL name and replace the WSOCK32.DLL with worm's DLL.TMP library. This trick causes Windows to replace its WSOCK32.DLL with a worm copy upon the next Windows restart.
On initializing its DLLs Windows loads infected (worm's) DLL instead of original ones, and as a result, the worm gets access to network functions.
Spreading
On next Windows restart, the infected WSOCK32.DLL is loaded into the system memory and gets control. The worm at this moment gets access and intercepts all necessary library functions that the original WSOCK32 library does. For all of them except two, the worm just forwards requests to original functions, and for this purpose, the worm also loads the WSOCK33.DLL (original library) into the Windows memory.
The two functions are processed by the virus: their names are "send" and "connect". By using these functions, the worm intercepts sent emails from the infected computer, and attaches its copy to these e-mails as the SUPPL.DOC file.

Check other viruses! Be aware! Use Antiviral Software

Nowi.1327

Description Nowi.1327

It is a dangerous nonmemory resident parasitic virus. It searches for COM files and writes itself to the end of the file. In some cases the virus corrupts the files while infecting them. The virus decrypts and displays the messages:
Out of enviroment space.
Not enough memory.
Analyzing configuration. Please waitall
Hej Sell! Czy to bylo tego warte? (c) by Nowicjusz

NoWin.2576

Description NoWin.2576

It is not a dangerous memory resident parasitic encrypted virus. It hooks INT 9, 21h and writes itself to the beginning of COM and to the end of EXE files that are executed or closed. When an infected file is opened, the virus disinfects it. While executing WIN.* file the virus reboots the computer. In some cases the virus beeps by PC speaker. The virus contains the text strings:
Copyright (c) 1993-94 XY, Zielona G¢ra.
R_H
|PL|

Home