Virus Database

I-Worm.Wallon.a

Description I-Worm.Wallon.a

Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:
<HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial size=2><BR>
<A href="http://drs.yahoo.com/[recipient domain]/NEWS/
*http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/[recipient domain]/NEWS">
http://drs.yahoo.com/[recipient domain]/NEWS
</A></FONT></DIV></BODY></HTML>
A screenshot of the infected message follows:

When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCUSOFTWAREMicrosoftInternet ExplorerMain]
"Wh" = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server.

Check other viruses! Be aware! Use Antiviral Software

Ida.1490

Description Ida.1490

It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM files that are accessed. The virus polymorphic engine is quite sophisticated: the virus decryption loop does not contain decryption key "in clear" - it tries to decrypt the virus code with different keys, calculates CRC of decrypted data and passes control to the virus code if CRC is ok. This engine has a bug and in some cases the virus cannot decrypt itself and the system halts.
The virus looks for the text "VERA" on the screen and appends "I Veronika !". The virus also contains the text:
[IDA] v0.01 Serg_Enigma

IDEA.6126

Description IDEA.6126

It is not a dangerous memory resident polymorphic parasitic virus. The virus code is encrypted three times - first loop is polymorphic, other loops are not polymorphic, but they use IDEA encryption algorithm. As a result virus decryption is a quite complex task, and when an infected file is executed even Pentium computers "sleep" for a second or two while the virus decrypts itself.
The virus then hooks INT 21h and stays memory resident. When COM and EXE files are executed, the virus writes itself to the end of the file. The virus does not infect COMMAND.COM and several anti-virus programs (TBAV, AVP, NAV, FINDVIRU, F-PROT, all) according to the string (two letters per name):
TBVIAVNAVSFIF-FVIVDRSCGUCO

After infecting the virus opens the ANTI-VIR.DAT file (if exists) and patches just infected file name in there - replaces the first character in file name with 01h (Smile ASCII).
When ZIP files are accessed by FindFirst/Next DOS commands, the virus adds an infected README.COM file to the ZIP archive. While infecting the virus drops a file on disk, infects it, appends infected file to the archive and then modifies archive structure. As a host file the virus uses one of three simple video-effect programs that keeps in its code. When executed these programs manifest themselves by a video effect and display the messages:
Downloaded From
http://www.narkotic.com/~vico
Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45)
* ROADKILL BBS *
Call now 028-6621590

While infecting ZIP archives the virus creates three temporary files: DIR.SKA, END.SKA, ADD.SKA.
At 15:30 the virus creates the C:VIRUS.COM file, writes the standard EICAR anti-virus test file to there, manifests itself by a video effect and displays the rotated message:
Warning!
strong
crypto
inside

The virus also contains the text strings:
IDEA virus (c) Spanska 98
Thx to Rajaat (poly),
F Mirza (IDEA),
Wild Worker (zip),
Solar D (road)

Home