Virus Database

I-Worm.Xanax

Description I-Worm.Xanax

This is an Internet worm that was found in the wild in the middle of March 2001. The worm spreads via e-mail by sending infected messages from affected computers through IRC channels by sending its copy there. The worm also infects EXE files in the Windows directory.
The worm itself is a Win32 application (PE EXE file) written in Microsoft Visual C++ language. The worm size is about 60K in length, but it was found in compressed form: the worm code was compressed by ASPack utility, possessing about 34K in length.
When the worm starts, it copies itself to the Windows system directory with two names: XANAX.EXE and XANSTART.EXE. The XANSTART.EXE file is then registered in Registry auto-run key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Default = %winsystem%xanstart.exe
where %winsystem% is the name of the Windows system directory. As a result, the worm is run each time Windows starts up.
Infected E-mail
The worm then launches its e-mail spreading routine. To do this, the worm creates a temporary XANAX.VBS file (Visual Basic script), writes a VBS program there and starts it with the help of WSCRIPT.EXE. The VBS program gains access to the Outlook address book, and sends messages to the first 1,000 addresses from each of the address lists
Subject: Stressed? Try Xanax!
Body:

Hi there! Are you so stressed that it makes you ill? You're not alone!
Many people suffer from stress, these days. Maybe you find Prozac too
strong? Then you NEED to try Xanax, it's milder. Still not convinced?
Check out the medical details in the attached file. Xanax might change
your life!

Attachments: xanax.exe
Infecting EXE files
The worm then looks for EXE files in the Windows directory, and infects them. While infecting, the worm moves a victim file body down and writes itself to the file beginning. The worm does not infect files with names beginning with E, P, R, S, T, W.
IRC channels
Next, the worm infects the mIRC client if it is installed. The worm looks for the mIRC client in the following directories:
mirc
Program Filesmirc
on the C:, D:, E: and F: drives. If the mIRC client exists, the worm overwrites the SCRIPT.INI mIRC script file with a program that sends the worm's copy to everybody who joining the infected channel.
Other Comments
When the worm is run from a file with name with the letter 'R' as the next to last one in a file name (xxxRx.EXE), it displays the following message:

The exact name as this contains the worm's file XANSTART.EXE that is registered in the system Registry auto-run key. So, the worm displays this message upon each Windows start-up.
The worm also creates more files in the system:
Windows system directory: HOSTFILE.EXE

Windows directory: WINSTART.BAT, XANAX.SYS
The HOSTFILE.EXE remains after running an infected host file, and this file contains a pure (not infected) body of last infected file run.
The XANAX.SYS file contains the text:
Win32.HLLP.Xanax (c) 2001 Gigabyte
The WINSTART.BAT file contains commands that display the message:
Do not take this medication with ethanol, Buspar (buspirone), TCA antidepressants, narcotics, or other CNS depressants. This combination can increase CNS depression. Be sure not to take other sedative, benzodiazepines, or sleeping pills with this drug. The combinations could be fatal. Do not smoke or drink alcohol when taking Xanax. Alcohol can lower blood pressure and decrease your breathing rate to the point of unconsciousness. Tobacco and marijuana smoking can add to the sedative effects of Xanax.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.MyLife.b

Description I-Worm.MyLife.b

The Internet worm MyLife.b is a worm virus being spread via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 11Kb in length, written in Visual Basic. It is compressed by UPX, its decompressed size is about 32Kb.
The infected e-mail messages have the following properties:
Subject:
bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy ========No Viruse Found======== MCAFEE.COM --------------------------------------------------------
Attachment:
CARI.SCR
Screen shot of infected MyLife.b e-mail:

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself into the system and runs its spreading routine.
When the worm is launched for the first time it shows a window with a picture.

Installing
While installing the worm copies itself to the Windows system directory with the name "cari.scr" and registers this file in the system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun win=%SYSTEM%cari.scr
%SYSTEM% is the Windows System directory.
Spreading
To send infected messages the worm uses Microsoft Outlook, it sends messages to all addresses found in the Microsoft Outlook Address Book. The worm also gets victim e-mail addresses from MSN Messenger e-mail base.
Payload
Once installed in the system (after Windows reboot following infection) the worm checks the current date, if the current hour value is 8, the worm executes its payload routine, deleting the following files:

c:*.*
d:*.*
e:*.*
f:*.*
Also deleted are: *.sys files in the Windows directory and *.vxd, *.sys, *.ocx, and *.nls files in the Windows system directory.

I-Worm.MyLife.b

Description I-Worm.MyLife.b

MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:


While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 11Kb.
Decompressed file size : about 32Kb.
Email content:
Subject:
bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? Ok
buy
========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attachment name: cari.scr
File name in the infected system:
%SystemDir%cari.scr
Affected registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
win=%SystemDir%cari.scr

Visual effect: when MyLife is launched for the first time, it displays a window with a picture. When this window is closed the worm runs its payload.
Payload: MyLife checks the current date, if the current hour value is equal to 8, the worm executes its payload routine:
MyLife deletes all files with the extensions .SYS in the Windows directory, files with the extensions .SYS, .VXD, .OCX, .NLS in the Windows System directory and all files in the C:, D:, E: and F: root directories.

Home