Virus Database

IRC-Worm.Claw.2513

Description IRC-Worm.Claw.2513

This is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files when they are accessed. Then it looks for COM and EXE files in the current directory and infects them. The virus also creates a hidden file in the root directory on the C: drive, writes its copy to there and adds to the AUTOEXEC.BAT an instruction to execute this file. The virus then infects WIN.COM and COMMAND.COM in the Windows directory.
To infect mIRC and spread via IRC channels, the virus creates two files in the C:MIRC directory: the MIRC_SYS.INI virus script file and DOS COM virus dropper CYBER.COM. Then it patches the MIRC.INI file with an instruction to load infected MIRC_SYS.INI file on IRC client start-up. The virus script switches off mIRC security (warning messages) and sends the virus dropper into the IRC channel at the moment a user disconnects from the channel.
On September 1st, depending on a random value, the virus erases the FLASH BIOS. To do this, the virus calls extended BIOS functions.
When the virus dropper starts, it displays the texts:
Clawfinger

The virus also contain encrypted strings:
Do you know how it feels to be down in the dirt with a bullet
in yer breast and blood on yer shirt Lying in a bloodpool down
in a pit covered with the corpse and the blood and the shit
How does it feel to have a gun at yer head when ya know that
you'd be much better off dead Freedom has a price and that price
is blood so chase the motherfucker right down in da mud
[ WARFAIR - CLAWFINGER ]

Check other viruses! Be aware! Use Antiviral Software

Already.71

Description Already.71

The 71-bytes ALREADY.COM program that caused virus alert message by AVP is not real computer virus. Tt was written as a utility to prevent duplicate program execution and was distributed as a part of some software. This utility just checks the current date and compares it with stored data. If the date is the same (i.e. this program was ALREADY executed today), it returns errorlevel 1. Otherwise it resets those data and returns errorlevel 0. That allows to use this progr
The reason to detect this program as a computer virus is a bug in it. This program does not just update stored data, but completely overwrites the ALREADY.COM file. Moreover, it overwrites it not in the directory where ALREADY.COM is placed, but creates a copy in the current directory. As a result, if this program is in PATH, running it can spread it on the local disks and network - this utility becomes a worm creating its copies everywhere it is run. That is why AVP detects this program as "Already.71" virus.

Alxe.1287

Description Alxe.1287

It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files, then writes itself to the end of the file. On 20th of any month the virus plays the tune. The virus contains the internal text string:
AlEx
*.EXE

Home