Virus Database

I-Worm.Tossed

Description I-Worm.Tossed

This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section. To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745

Error in SFX - Unable to extract !!
While installing, the worm tries four "hardcoded" variants of the Windows directory name: C:WINDOWS, C:WIN95, C:WIN98, C:WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: "Check this out". The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE
I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE
Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE
I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE
Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE
I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE
I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE
I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
------ --
- -- - --
-- ---- ---- ---- ---- --
-- -- -- -- -- -- -- -----
-- -- -- ---- ---- ------ -- --
-- -- -- -- -- -- -- --
---- ---- ---- ---- ----- --- --

----- --- --
-- -- -- --
--- --- -- --- --
--- -- -- -- -----
--- ----- -- ----- -- --
-- -- -- -- -- -- -- -- --
----- --- -- --- --- -- --- --

!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.DarkSide

Description Macro.Word.DarkSide

This is not a dangerous encrypted Word macro virus. It is related to the "MDMA" virus. It contains four macros: AutoClose, DarkSide1, HerramMacro, ToolsMacro. It infects the documents and the global macros area on AutoClose call.
The virus disables Tools/Macro menu (Herram/Macro in Spanish). It creates on disks the DARKSIDE.1 files and writes the texts to there:
ATENCION: esta computadora ha sido infectada!. DarkSide1 sin una
computadora es como Billy The Kid sin un revolver! ! . . . Virus DarkSide1
creado en la ciudad de Lima en enero de 1997 -=] DarkSide1 Is a peruvian
virus writer [=-

The virus also contains the REMarked comments:
DarkSide1 is in the wild!!! :-)
DarkSide1's E-Mail: virology@usa.net
DarkSide1's live in Peru!!

Macro.Word.DarkSide.b
This encrypted virus contains three macros: AutoClose, DarkSide1B, HerramMacro. It creates the DARKSIDE.NEW file in current directory on C: drive and writes the text to there:
DarkSide1 is Back!!
The name of this macrovirus is DarkSide1.B
Caro's name Dark.A ?! Caro Sucks!! :)
And rememberall DarkSide1 whitout a computer is like...
Billy the Kid without a gun!! :)
WM.DarkSide1.B] by DarkSide1 in Lima Peru 1997

The HerramMacro macro contain the texts:
it's only a clean macro :) very easy !!
DarkSide1 is Cool Macro Virus Writer :)
I like the macrovirii scene...rocks!! :)

Macro.Word.Date

Description Macro.Word.Date

This macro virus was written in Italy. It contains the automatic macro AutoOpen, by which it infects documents and the NORMAL.DOT template. The macro AutoOpen is encrypted (i.e. it is not directly modifiable). Besides the Main subroutine - inside macros it is present on default - the virus contains two other subroutines:
Infezione (Infection)
Effetti (Payload)

Before running the "Infezione" and "Effetti" subroutines, Word.Macro.Date checks the system date. If the year is < 1997 and month is < 6, the virus runs the infection routines, otherwise it aborts its operations.
Word.Macro.Date seems to work correctly also on the English version of Word.
The "Effetti" routine tries to delete the macro AutoClose from templates (disinfects "Divina" macro virus?).

Home