IRC-Worm.Lucky
Description IRC-Worm.Lucky
This is a IRC worm that spreads through the IRC channel using mIRC and PIRCH clients for spreading. The worm appears on a computer as the LK7.EXE Windows program about 500K in length. When this file is executed by a user, the worm installs itself into the system, copies the LK7.EXE to the C:WINDOWS directory, then searches for mIRC and PIRCH clients in current, C:MIRC, C:MIRC32, C:PIRCH98 directories, and modifies IRC scripts there.
The worm also installs the ""Backdoor.NetBus" Trojan to the system. To do this, the worm keeps the Trojan's code in its body, extracts it from there, copies to the C:WINDOWS directory with IRCPATCH.EXE name, and executes it.
The worm contains the "copyright" text:
LUCKY B.R.D 1994-99 [LK-7]all
To spread through mIRC channel the worm creates the new script file LK7.INI and sets a reference to this file in the mIRC system script file MIRC.INI. The worm's script intercepts a set of events and uses them to spread its copy to channels and manifest itself:
on a new user joining infected channel, or on files transfer the worm sends its copy (the C:WINDOWSLK7.EXE file) to this user.
if the text "leave!!!" appears in channel, the worm sends to the channel the message "Your will is my command" and leaves the channel.
on "LUCKY !!" text the worm sends to the channel the message "I am a Lamer !!" and changes affected user's nick to "Lamer".
on "Die!!!" text the worm reacts with the "Be sure, I will commit suicide now .. RIP" message and leaves chat.
on "virus" and "virii" strings the virus sends to the channel the text I am infected with [LK-7]..By LUCKY B.R.D 1994-99.Win32 VIRUS".
and so on.
To spread its copy to mIRC channels, the worm also modifies the system registry keys that are responsible for mIRC events, and in some events, the worm also sends its copy to channels.
To spread to PIRCH, the worm creates the new script file EVENTS.INI that contains a command that sends a worm copy to all users that enter the infected channel.
Variants
There are several known variants of the original worm. They are crippled (infect only the mIRC client, for instance) and do not install backdoor files. They spread as files with the names:
"Lucky.b": CLICK-IT.EXE
"Lucky.c": APPOLO.EXE
Check other viruses! Be aware! Use Antiviral Software
MD Family
Description MD Family
These are harmless nonmemory resident viruses. They are related to "Vienna" virus. They infects .COM files of current directory and directories marked in PATH (except "MD.354"). These viruses set the file time stamp to 62 seconds. They contain the text strings "MD", "PATH", "*.COM" and:
"MD.354": MaxWell-Defender: The First Meeting
"MD.498": MaxWell Defender: I don't kill MMM
"MD.499": MaxWell-Defender: I haven't been in Vienna
"MD.557": MaxWell-Defender: I don't infect EXE-files
MDS.331
Description MDS.331
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. It contains the text string:
MDS93
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Lantgård Stockholm
Men's Haircuts
Svenska StÅlhallar Ab
Hallberg Byggkonsult
Vrankunge Bygg
|