Virus Database

IRC-Worm.Blackout

Description IRC-Worm.Blackout
Blackout is an IRC worm spreading via IRC channels. The worm itself is a Word document and contains one macro called "Blackout".
Installing
When the worm is executed, it does the following: Adds the value "Level 1" to the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftOffice9.0WordSecurity

Blackput attempts to disable the Security menu item in the Macro menu and creates in the root directory of the C: disk a file called "blackout.vxd" in which it writes the source code.
Additionally this file is used to infect all Word documents in the directoryC:mydocu~1.
The worm creates the file C:Blackout.vbs and registers this file in the automatic launch string of the system registry:

HKEY_LOCAL_MACHINEMicrosoftWindowsCurrentVersionRun

Blackout adds the value ppacket by pickpacket to the registry key:
HKEY_LOCAL_MACHINESoftwareBlackout

Blackout copies itself to the C:Readme.txt.doc.
Spreading
Blackout searches for the "Mirc32.exe" file in the folders:
C:Mirc and C:Progra~1Mirc.
If the worm finds the "Mirc32.exe" file in these folders it attempts to overwrite the "Script.ini" file in the same folder(s). The "Script.ini" file is a short mIRC program that sends the C:Readme.txt.doc file to everybody who enters an infected channel.
Payload
If the hour is 0 or 23, the worm may use the Microsoft Office Assistant to display the following message:
W97M/Blackout
This goes out to the people in the power companies!!!

Blackout then changes the value to "NoClose" in the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

This hides the "Shut Down" menu item on the Start menu.

Check other viruses! Be aware! Use Antiviral Software

Bomber

Description Bomber

It's a harmless memory resident polymorphic virus. It hooks INT 21h and infects COM-file except COMMAND.COM on their running. It contains the internal text messages "COMMANDER BOMBER WAS HERE" and "[DAME]".
The characteristic feature of this infector consist of a new polymorphic algorithm. Upon infection the virus reads 4096 bytes from the random selected offset and writes this code at the and of the file. Then it writes into this 'hole' its code and starts to polymorphism. This virus contains several subroutines which generate the random (but successfully executed!) code. TRhe virus inserts those parts of random code into the random chosen position into the host file. About 90% of all the i8086 instructions are present in those parts. The part of code takes the control from the previous part by JMP, CALL, RET, RET xxxx instructions. The first part is inserted into the file beginning and jumps to next part, the next part jumps the third etc. The last part returns control to the main virus body. At the end the infected file looks like at 'spots' of inserted code.

Bomzh.3809

Description Bomzh.3809

It is a very dangerous memory resident encrypted parasitic stealth virus. It hooks 17h, 21h and writes itself to the end of EXE files that are executed, renamed or closed. While opening an infected file the virus disinfects it. When a file compressing utility is run, the virus disables its stealth routine. The list of these utilities looks as follows:
RAR.EXE PKZIP.EXE ARJ.EXE ICE.EXE HA.EXE

The virus deletes the files:
VSWAP.WL?
ILLURIA.MAP
*.WAD

While printing a file the virus includes a word in Russian into the data . The virus also contains text strings in Russian.

Home