Virus Database

AntiWin_III.465

Description AntiWin_III.465

This is a dangerous nonmemory resident parasitic virus. It searches for COM files in a current and parent directories, then writes itself to the end of the file. If a file WIN*.COM is found, the virus overwrites it with a program that displays the message and returns to DOS:
This program requires Microsoft Windows
The virus contains the text string:
->AntiWindows<-

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Tossed

Description I-Worm.Tossed

This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section. To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745

Error in SFX - Unable to extract !!
While installing, the worm tries four "hardcoded" variants of the Windows directory name: C:WINDOWS, C:WIN95, C:WIN98, C:WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: "Check this out". The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE
I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE
Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE
I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE
Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE
I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE
I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE
I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
------ --
- -- - --
-- ---- ---- ---- ---- --
-- -- -- -- -- -- -- -----
-- -- -- ---- ---- ------ -- --
-- -- -- -- -- -- -- --
---- ---- ---- ---- ----- --- --

----- --- --
-- -- -- --
--- --- -- --- --
--- -- -- -- -----
--- ----- -- ----- -- --
-- -- -- -- -- -- -- -- --
----- --- -- --- --- -- --- --

!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]

I-Worm.Totilix

Description I-Worm.Totilix

This is a very dangerous Internet worm spreading in e-mail messages. Upon being run on a machine, it overwrites all EXE files in the Windows directory with its copy, except EMM386.EXE, SETVER.EXE and files that are currently run and are locked (EXPLORER.EXE for instance).
The worm then registers its file to be run upon each Windows startup (this is all for nothing, because the system will not be functional anyway after all EXE files have been overwritten). While registering, the worm creates a new auto-run key in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
RunAVUpdate = "worm filename"
where "worm filename" is the actual file name the worm has run from.
The worm also creates an "identification" registry key:
HKLMSoftwareMicrosoftAVUpdteInstall
that reports the system has already been infected and there is no need to overwrite EXE files in Windows and send infected messages.
Spreading
The worm does not obtain a victim's e-mail addres from the MS Outlook address book or from other files as other e-mail worms do, but forces a user to select a victim address. When starting, the worm displays a fake message:
AV Intelligent Updater
Please select email address to send at your friend
Select email address with 'a' only not with 'A'
[OK]
The worm then activates an e-mail client by using MAPI functions (i.e., not depending on the e-mail client brand and version), activates the Address Book menu and waits for the user to select address(es) there. The worm then sends an infected message to a selected address. The message has:
Subject: Virus Alert Update: New VBS.LoveLetter Threat
Text:
Hi Friend,
This mail contains a new AV intelligent updater for all antivirus.
To install it, execute the attachment file
if you have any problem, send mail at antivirus@hotmail.com

The attached file name is the same as the name of the file the worm has been activated from. Initially, the worm was received under the AVUPDATE.EXE name.
In case any error occurs while selecting an address or sending, the worm erases all files in the Windows directory, and displays one of the following "error" messages:
The recipient requested has not been or could not be resolved to a unique address list entry
The recipient could not be resolved to any address.The
recipient might not exist or might be unknown
One or more unspecified errors occured
The name was not resolved
There was insufficient memory to proceed
The operation was not supported by the messaging system
The user was cancelled one or more dialog box
In case the worm successfully sends infected e-mail, it disguises itself with the message:
AV Intelligent Updater
Internal error occured when you have launch this program
Contact antivirus@hotmail.com or others AV
Other Manifestations
Depending on system date and time, the worm erases files in the Windows directory and displays the following messages:
On 13th of any month, if seconds = 30
Virus Win32.AVUpdate
Attention, votre PC est en danger!!!!!
Car ceci est ma veritable identite
Veuillez contacter votre centre AV le plus proche
On February 2:
Win32.Eva by Benny, (c) 1999
Hello stupid user, i'm so sorry but i have to interrupt your work,
Cause i hate this shitty program. Click OK to continue
Greets to:
Super/29A
Darkman/29A
Jack Qwerty/29A
Billy Belcebu/DDT
And many other 29 Aersall
On May 9:
Win32.3x3eyes coded by: Bumblee[UC]
This is my last contribution to Ultimate Chaos team Greetings UC brothers
On April 5:
Virus Report rev 2.1
SPIT.Win32 is a Bumblee Win32 Virus
Feel the power of spain and die by the SpiT!
On September 24:
TOTILIX Presents...
This >TOTILIX< Virus was assembled at the city of Oporto Portugal!
Gas_par@hotmail.com
(c) 1999 G@SP@R aka Sexus
Worm Variants
There are worm variants known. They differ with original version in Registry key value, messages text and manifestations:
Totilix.b
Registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
ILoveBritney = "worm filename"
Messages:
ILoveBritney Freeware
Please select email address to send at your friend
This program open automaticaly your address book

ILoveBritney Freeware
Thanks to have take this freeware!!!!
Which include new screen saver about britney
Now, send this software to your friend who like me
If you want to email me, send at britney@peeps.com
Email texts:
Subject: New Britney Screen Saver
Text:
Hi
I Send you this mail to give you a new screen saver about Britney Spears.
I hope your enjoy to have it.
See you soon...
On February 12 it deletes the files AUTOEXEC.BAT, CONFIG.SYS, IO.SYS, MSDOS.SYS and displays the message:
Win32.ILoveBritney
It's Britney Birthday!!!!!
You musn't work today...
Totilix.c
Registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
Madonna32 = "worm filename"
or
MadonnaNT = "worm filename"
Messages:
Madonna Hot Picture Software
Hey, before you use this software
Send me to your friends, please
Madonna Hot Picture Software
Hey, a error occured during the loading
Please retry later or contact Madonna Official Site

Madonna Hot Picture Software
A error occured when i try to send email
Please refer to your windows help for more informations

Madonna Hot Picture Software
This program need MAPI functions
It can be find into your computer
Please refer to Windows help to install it
Email texts:
Subject: Madonna Hot Picture
Text:
Hey, I know you like Madonna.I found this software on Madonna Official Site.
It contains a lot of picture about Madonna.
I hope you like to have it
See you soon...
Depending on system date and time it:
displays the message and exits Windows:
Win32.IHateMadonna by ZeMacroKiller98
Hey man, you see now that your PC is infected by me
Just now, you see that i HATE Madonna
overwrites AUTOEXEC.BAT file with "format c" trojan and displays:
Win32.IHateMadonna
Ha Ha Ha Ha!!!, Madonna Virus is in your computer...
And time is occured to destroy your PC!!!!!!
Thanks to ZeMacroKiller98!!!

Home