Virus Database

Illusion.1330

Description Illusion.1330

These are very dangerous memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed or when a file's attributes are read or set. The viruses have bugs, and replicate themselves only under limited system environment variants, and in other cases, the viruses halt the system. The viruses delete the anti-virus data files:
ANTI-VIR.DAT CHKLIST.MS SMARTCHK.CPS AVP.CRC IVB.NTZ CHKLIST.TAV

On July 4th and Fridays that fall on the 2nd, the viruses erase hard drive sectors, the CMOS and display the following message:
-- IlluSioN viRus coded by ThE_WiZArD in Spain (1997) --
When you know that your time is close at hand
Maybe then you will begin to understand
Life down there is just a strange Illusion all

The viruses also contain the text:
->#ThE_WiZArD

Check other viruses! Be aware! Use Antiviral Software

Melissa.bg (a.k.a. "Resume worm")

Description Melissa.bg (a.k.a. "Resume worm")

This is one more variant of the "Melissa" virus with a very dangerous payload routine and an unlimited (by number of recipients) mailing routine. The virus only sends infected messages by using MS Outlook and does not infect any other files on the computer, so it can be classified as an Internet Worm.
The virus arrives as an e-mail message with an attached Word document.
The message Subject looks like follows:
Resume - Janet Simons
The message Body is:
To: Director of Sales/Marketing,
Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Sincerely,
Janet Simons.
The attached document contains two macros that are activated upon document opening and closing (Document_Open, Document_Close). Upon opening an infected document, the virus connects to MS Outlook, gets access to the address book and sends infected messages to all addresses listed there. The virus creates a "personal" message to each address, so it sends as many messages as there are addresses in the Outlook address book.
Upon document closing, the virus saves its document with the EXPLORER.DOC name in the Windows startup folder:
C:WINDOWSStart MenuProgramsStartUpExplorer.doc
As a result, this virus copy will be activated upon each Windows start-up. The name of that file is "hardcoded" in the virus body, so this feature is successful only when Windows is installed in exactly that directory.
The virus also creates the C:DATA directory and stores its copy in there with the NORMAL.DOC name:
C:DataNormal.dot
The virus then runs its payload routine. It erases all files in root directories on all drives from C: to Z:, as well as in directories:
C:My Documents*.*
C:WINDOWS*.*
C:WINDOWSSYSTEM*.*
C:WINNT*.*
C:WINNTSYSTEM32*.*
The virus code also contains the text strings:

'----------------------------------------------------------'
' Better You Than Me Buddyall '
' ... Hope You Like My vIrUs '
' :) '
' :( '
'----------------------------------------------------------'

MemEater

Description MemEater

It is not a dangerous memory resident boot virus. It hooks INT 13h and writes itself to the boot sectors of floppy disks that are accessed.
While infecting the floppy disk the virus stores in its code the current day and month. While loading from that disk the virus decreases the size of the system memory by 1K, if the system is loading from the floppy disk that has been infected on the same day. In another case the virus decreases the system memory by 2K, and stores new date and month, then by 3K, 4K, e.t.c.
As the result, each day the virus "eats" more system memory, than the day before.

Home