Virus Database

I-Worm.XCod

Description I-Worm.XCod

This is Email/IRC worm. The worm body itself is Win32 PE EXE file written in VisualBasic. The worm has too many bugs to be described well.
It copies itself to:
C:windowsinstall_.exe
C:windowssystemsysboot_.exe
and registers itself in Registry keys:
HKEY_CLASSES_ROOTexefileshellopencommand
"C:windowssystemsystray_.exe" %1 %*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SystemTray = C:Windowssystemsystray_.exe
SystemTray = C:Windowssystemsysboot_.exe
(the last line overlaps first one, so first line disappear in system registry).
HKEY_LOCAL_MACHINESoftwareWinsysinfo
Program Name = X-Coderz
CurrentVersionNumber = X-Coderz.VBS.03.A
(it intends to write more lines to there, but fails).
The messages sent by Email (it also fails to do that) contain the INSTALL_.EXE attached file, the message text and subject are selected from variants:
Hey
Hey, How Are Things? I'm Writing This E-Mail To Let You Know Of An
Attachment Im Sending With The Next Mail You Will Probably Find. It Very
Useful. I did! See You Soon

Hey Its Me Again,Here You Go Its The Installation Program For An Adults
Only Explicit Screensaver (Pornographic)

Hey Its Me Again,Here You Go Its The Installation Program For An Outlook
Express Security Upgrade

Hey Its Me Again,Here You Go Its The Installation Program For A Microsoft
Explorer Patch V7.5 (Required For Many Sites)

Hey Its Me Again,Here You Go Its The Installation Program For A Cool Game
I Found On The Web, Try It!

Hey Its Me Again,Here You Go Its The Installation Program For An
Excellent MP3 Player With Plug-Ins LIMITED EDITION
To spread itslef throug IRC channels the worm affects the mIRC client in C:Mirc directory. The worm writes (successfully) the SCRIPT.INI file with commands that send to IRC channels the worm copy with "installx2.exe" name, and send to there the message too:
You gotta see this. Talk about hard core, jesus!! This is kinky at its
bestall you gotta see this, just look at it!!
The worm deletes Norton Anti-Virus data files: C:Program FilesNorton AntiVirus*.dat
On June 22 the worm intends to display (but fails) the message box:
X-Coderz VBS Virus 0.3
X-Coderz Have Taken Control
then:
X-Coderz???
Remove Virus From Your System?
and then:
X-Coderz
FUCK YOU!!!!!!

Check other viruses! Be aware! Use Antiviral Software

Hidenowt.1741.a

Description Hidenowt.1741.a

It is a harmless memory resident parasitic partly encrypted virus. It writes itself to the end of .COM and .EXE files. When an infected file is executed, the virus infects the C:COMMAND.COM file, then it traces and hooks INT 21h, then it infects the files on DOS calls FindFirst/Next.
The virus uses anti-debug tricks. It contains two text strings, the former is encrypted, the latter is used as virus-ID word:
C:COMMAND.COM
Yx

Hider.1782

Description Hider.1782

This is a dangerous non-memory resident encrypted parasitic virus. It searches for COM (except COMMAND.COM) and EXE files, and writes itself to the end of the file. It deletes anti-virus data files. It contains the text string:
*.MS *VIR.DAT COMMAND.
On 13th of each month it sets Hidden attribute to the files and displays the message:
Anston Rant is back for more!
Whoa, looks like you be missin some files there, Bud!

Home