Virus Database

IRC-Worm.Septic

Description IRC-Worm.Septic

This is a virus-worm that spreads through mIRC channels by using an mIRC script program, and attempting to affect HTML files to infect remote computers when an Internet browser reads infected HTML pages.
The virus manifests itself on the 1st and 2nd of each month. It displays messages and then runs a video effect. By using VGA functions, the virus changes colors of the monitor turning it from white-on-black to black-on-white and back. The messages are as follows:
Day 1st:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ written by SeptiC [TI]
Day 2nd:
Pure evil comes from within! ~+DarK.MeSsiAh+~
Written by SeptiC [TI]

The virus also supports a "protection" that disables virus infection routines. When a virus copy is executed, it looks for the C:\_VAC.TXT file and immediately returns to the host program if such a file exists. The virus also displays the message here:
You are protected by a devine power
~+DarK.MeSsiAh+~ will not touch your files

DOS COM and EXE infector
The main part of the virus is an ordinary parasitic DOS file infector. The virus is encrypted, and when an infected file is executed, the decryption loop restores the virus code to non-encrypted form and jumps to the main virus routine. The virus then searches for DOS COM and EXE files and infects them. While infecting, the virus encrypts and writes its code to the end of the file and modifies the file header.
The virus searches for files and infects them in the current directory, in the parent directories, and in the directory tree on all drives from C: to G:. The virus checks file names and does not infect: COMMAND, ?GA*, ??NP*, ???GW* files; runs mIRC script infection routine if MI* (MIRC.EXE, MIRC32.EXE) file is found; corrupts anti-virus files: F-*, TO*, TB*, SC*, AV* (F-PROT, TBAV, SCAN, AVP) - the virus overwrites them with a code that displays the message and returns to DOS when an infected file is executed:
~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

The virus also deletes the ANTI-VIR.DAT file if it exists.
Infecting BAT files
The virus also searches for BAT and HTML files and infects them in the same directories. While infecting BAT files, the virus writes to the end of the file DOS commands that replace the DOS "dir" command with a set of two instructions: the first runs a virus dropper PORNO.COM, the second executes the DOS "dir" instruction. As a result, on any "dir" instruction the virus dropper is executed.
The virus creates its dropper file PORNO.COM in the Windows Command directory. To locate this directory the virus tries three variants:
C:WINDOWSCOMMAND
C:WIN95COMMAND
C:WIN98COMMAND

If not one of them is valid, the virus drops this file in the current directory. The virus then opens the C:AUTOEXEC.BAT file and infects it in the same way as for other BAT files.
Infecting HTML files
While infecting an HTML file, the virus creates, in the same directory, the infected dropper with the PATCH.COM name and appends to the end of the HTML file a short set of HTML commands that display the message:
Download The Latest Patch!
Click Here!

The "Click Here!" is a link that downloads and runs the PATCH.COM virus dropper, when this link is activated. As a result, infected HTML pages are "continued" with a virus text that offers to download an upgrade, but spreads the virus code instead.
mIRC script
The virus looks for an mIRC client installed in the system and creates a new SCRIPT.INI file in the same directory. The virus looks for mIRC in six directories and does not drop its mIRC component if none of the directories is found:
C:MIRC
C:MIRC32
C:PROGRAMMIRC
C:PROGRAMMIRC32
C:PROGRA~1MIRC
C:PROGRA~1MIRC32

While infecting the mIRC client, the virus uses the same trick as other mIRC viruses do: it overwrites the standard mIRC script file SCRIPT.INI with an infected one. When an mIRC client starts with an infected script, it accepts this file and follows its instructions.
The infected SCRIPT.INI contains several commands. The main one is the virus-sending instruction: when any user sends/receives any files, the virus sends to this user its infected dropper file, PORNO.COM.
The virus also sends messages to the channel and users on the channel. When an infected client connects to an IRC server, the virus sends the message to a user with the "SeptiC_dm" nickname:
I am your servant! I have been turned into a zealot of darkness

If the "D.Messiah" string appears in a message in the channel the, virus sends its own message to all users on the channel:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ Written by SeptiC [TI]

On the "666" string, the virus changes the topic of the channel (that is displayed in the header of the channel window), if the infected user has enough privileges. The new topic string appears as follows:
~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

On the "pray" text, the virus sets the channel operator mode to a user who posts this text, and sends the message to the channel:
I Obey my master! long live satan

On the "sacrifice" text all infected users are kicked out of the channel with the message:
Your word is my command, Power to satan!

Check other viruses! Be aware! Use Antiviral Software

Necropolis

Description Necropolis

This is a dangerous memory resident stealth parasitic virus. It traces INT 13h, 21h, hooks INT 21h and then writes itself to the beginning of COM files and to the middle of EXE files (between the header of EXE file and the module body) when these files are accessed:
COM file EXE file
+-------+ +-------+ +--------+ +--------+
¦ ¦--+ ¦Virus ¦ ¦Header ¦ ¦Header ¦
¦- - - -¦ ¦ +-------¦ +--------¦ +--------¦
¦ ¦ ¦ ¦ ¦ ¦ ¦--+ ¦Virus ¦
¦ ¦ ¦ ¦ ¦ ¦- - - - ¦ ¦ +--------¦
+-------+ ¦ ¦- - - -¦ +--------+ ¦ ¦- - - - ¦
+->¦ ¦ +->¦ ¦
+-------+ +--------+

This virus uses the algorithm of the "Beast" virus: it writes a part of the file being saved to the free sectors of the last cluster of the file, and the file length does not grow.

Necros.1164

Description Necros.1164

It is not a dangerous memory resident polymorphic virus. It hooks INT 1Ch, 21h and infects COM and EXE files. This virus writes itself to the beginning of the COM files, and infects EXE files in companion way: the virus creates the .COM file with the name of .EXE file.
On November, 21th the virus beeps and displays:
Virus V2.0 (c) 1991 Necros The Hacker.
Written on 29,30 June in Tralee, Co. Kerry, Ireland.
Happy Birthday, Necros!

It also contains the text:
Virus V2.0 [FrIEND]

Home