Virus Database

I-Worm.Vybab

Description I-Worm.Vybab

This worm spreads via the Internet as an attachment to infected messages. It can also infect EXE files.
It is a PE EXE file written in Borland Delphi and is approximately 140 KB in size.
Installation
When installing itself to the system, the worm creates a file named 123.txt in the Windows directory. This file contains the following text string:
babyv ; made of Ran
It also creates files in the root directory and the Windows directory. The names of these files are created from three random characters and one of the following extensions:
bat
exe
htm
rar
doc
xls
These files do not contain the body of the worm.
The worm copies itself to a temporary file named seeyou.rar in the C: root directory.
It also creates a file named echo.vbs in the Windows temporary directory. This file contains the script which enables the worm to propagate via email.
Propagation via email
Each time the worm or one of the infected files is launched, the worm sends itself to all addresses in the MS Outlook address book. Infected emails have the following characterstics:
Message header:
Microsoft Pack3, ;o)
Message text:
Hi:
This is Microsoft client server center
Check This!
Infecting EXE files
When the worm is launched for the first time, it infects EXE files located in the Program Files directory, and in the directory which the worm was launched from. It writes itself to the beginning of those files.
After this the worm searches all directories on all accessible drives and infects all EXE files found.
When an infected file is launched, the virus copies itself into the root directory of every available drive and sends itself via email. The original uninfected file is saved in the Windows temporary directory and will re-establish control once the worm finishes the infection process.

Check other viruses! Be aware! Use Antiviral Software

Saratoga (Icelandic) Family

Description Saratoga (Icelandic) Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of each second or tenth (depending on the virus version) .EXE file that is executed or loaded into the memory. After every successful infection of a file the viruses mark as BAD cluster one of free clusters of the current disk.

Saratov.1790

Description Saratov.1790

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of .COM and EXE files that are executed or opened. The virus corrupts the CHKLIST.MS file, if is exists, while infecting a file the virus checks the file name, and does not infect the files from the list (three symbols per name):
EVRWD.800COMDRWANTAIDWEBWINKRNSCACLEPT.

The virus also scans the screen buffer for "Web" string, and terminates infection if that string is found.
Depending on the system timer the virus displays the message:
Thanks for using Saratov software.

The virus intercepts the execution of the programs with "/c vir" argument and may have to display the message followed by virus' "generation" number, but fails. The message is:
The File Corrector v2.0. Made in Saratov. Serial #

Home