Virus Database

IRC-Worm.Spth

Description IRC-Worm.Spth

This is a polymorpic worm is written in Batch script with the extensions Windows 2000/XP (cmd.exe). The worm contains two parts: polymorphic generator and main body. The polymorphic generator reconstruces the main body on each start of batch file. The worm creates its droppers with the files: SPTH.BAT and C:MIRCSATURN.BAT. It also creates the script file C:MIRCSCRIPT.INI. The script sends worm dropper (SATURN.BAT) to each user who joins the infected channel. The worm also rewrites batch files into WINDOWS directory. The worm contains the comments:
----------- BatXP.Saturn ********** by Second Part To Hell -----------
|
I think, you are looking at the code and think: "What the hell is this?"|
The answer is: A Windows XP Batch polymorph virus :D |
WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS |
You're able to make the really nice things with CMD which you wasn't |
able to do it with COMMAND.COM. |
|
Information about the virus: |
Virusnameall...................: BatXP.Saturn |
Virusauthor....................: Second Part To Hell |
Size...........................: The poly-engine has 1.301 Bytes |
The whole virus has 4.158 Bytes |
Encrypted......................: Yes, but only the virus part. |
I'll crypt also the poly engine in |
next versions. |
Polymorphic....................: Yes |
|
written from 20.11.2002 to 22.11.2002 |
in Austria |
----------------------------------------------------------------------

Modifications
IRC-Worm.Spth.b
The worm's droppers are: SPISSTOM.BAT, C:PROGRA~1MIRCMIRC.BAT
The script file name is: C:PROGRA~1MIRCSCRIPT.INI
IRC-Worm.Spth.c
The worm's droppers are: SPISSTOM.BAT, C:MIRCINSTALL.BAT
The script file name is: C:MIRCSCRIPT.INI
IRC-Worm.Spth.d
The worm's droppers are: DRRA.BAT, C:PROGRA~1MIRCSATURN.BAT
The script file name is: C:PROGRA~1MIRCSCRIPT.INI

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Showoff

Description Macro.Word.Showoff

text (c) Michal A. Egler
This virus contains the following encrypted macros: Hayo, AutoOpen, Nomercy2, Organizer, ToolsMacro, FileTemplates.
On the 13th day of any month the virus creates the file C:WINDOWSSYSTEMNOMERCY.DLL. This file contains a debug script with the NoMercy.575 DOS parasitic virus dump code. By using this script the virus creates the virus dropper NOMERCY2.COM.
Next the virus deletes files:
C:*.BAT
C:*.SYS
C:WINDOWS*.GRP
C:WINDOWS*.DRV
C:WINDOWS*.DLL
C:WINDOWSSYSTEM*.DRV
C:WINDOWSSYSTEM*.DLL

It also inserts the following commands into the AUTOEXEC.BAT file to execute the virus dropper:
@echo off
nomercy2.com

After restarting the computer the virus code stays resident and infects each executed COM and EXE file.
The virus displays a UserDialog containing the text:
No Mercy II [Hell on WinWord], The Madness Continuesall..
wall
NoMercy II ©1997 by CrazybitS
From the land of Smoking Vulcanoes and Gamelan Orchestras
This Macro Virus Was Released for follow his brother No Mercy

Sometimes the virus changes names of macros:
Nomercy = AutoOpen
AutoClose = Nomercy2
AutoExec = Hayo
ToolsMacro = ToolsMacro
Organizer = Organizer
FileTemplates = FileTemplates

Sometimes the virus displays a UserDialog with the text:
No Mercy II Was Distrub !
Mmmmm.... you just lost your files !
Don't do it again !

Macro.Word.Shuffle

Description Macro.Word.Shuffle

This is a stealth Word macro virus. It contains one macro in documents (AutoOpen) and four macros in NORMAL.DOT (XXXXX, FileSaveAs, ToolsMacro, FileTemplates).
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs). The virus infects the documents in usual way, while infecting the NORMAL.DOT the virus deletes all macros in there, minimizes the Word window, and copies its macros string-by-string to the global macros area.

Home