Virus Database

I-Worm.Welyah.a

Description I-Worm.Welyah.a

This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected attached files, as well as sends files from a local computer to steal information from infected systems, and the worm has destructive actions. The worm was discovered in-the-wild in December 2001.
The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gets control through an IFRAME security breach), the worm's code takes control. First of all, it drops (installs) its components to the system and registers in the system registry.
While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run key.
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
WINL0G0N.EXE = WINL0G0N.EXE
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WINL0G0N.EXE = WINL0G0N.EXE
Spreading
To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains an SMTP address from the system registry or uses the following predefined address:
210.177.111.18
Victim e-mail addresses are obtained from the files in the local disks. The file list is as follows:
"*.eml","*.wab","*.dbx","*.mbx","*.xls","*.xlt","*.mdb"
Next, the worm sends infected messages. The message body is in HTML format, and exploits an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are:

Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt

The worm stores an e-mail list of its victim in the file emailinfo.txt. While spreading, it stores its dropper in the file email.txt
Sending files from a local computer
The worm looks for files in the subdirectories of the local disks. The file list is:
"tree.dat","smdata.dat","hosts.dat","sm.dat"
It sends them to the ftp server "ftphd.pchome.com.tw" for the users from the list:
shit0918, shit530, shiu58, shoho2, shoo2206
Destructive actions
The worm deletes all files in the current directory. It can delete files in the Windows root directory after rebooting.

Check other viruses! Be aware! Use Antiviral Software

Moctezuma Family

Description Moctezuma Family

These are memory resident dangerous polymorphic viruses. They hook INT 8, 13h, 21h and infect .COM and .EXE files that are executed. They write themselves to the end of EXE files and to the beginning of COM files. These viruses contain the text:
Moctezuma's Revenge

sometimes they exchange the bytes in the disk sectors.
"Moctezuma.2208" delays, and shift a part of the screen on the INT 8 (timer) calls.

Moctezuma.2208

Description Moctezuma.2208

This is a memory resident dangerous polymorphic virus. It hooks INT 8, 13h, 21h and infects COM and EXE files that are executed. It writes itself to the end of EXE files and to the beginning of COM files.
This virus contains the text:
Moctezuma's Revenge
Sometimes it exchanges the bytes in the disk sectors.
The virus delays and shifts a part of the screen on the INT 8 (timer) calls.

Home