Virus Database

Jerusalem.a

Description Jerusalem.a

Jerusalem family.
This virus hooks INT 9, 16h, and 21h. Upon a 'warm' reboot (Alt-Ctrl-Del), according to the current time, the virus decrypts (XOR AFh) and displays the following text:
The world will hear from me again!

Depending on the date, it corrects the text entered from a keyboard. If a user types "fu manchu", the virus adds "virus 3/10/88 - latest in the new fun line!". If a user types "thatcher", "reagan", "botha" or "waldheim", the virus adds some rude words: "thatcher is a #@$&*", "reagan is an @$$%$##", "botha is a &%$#@#$%", "waldheim is a $%#@&*". When entering the unflattering words, the virus erases them from the screen.
Jeru.Math
"Jerusalem" family. On Fridays, it also hooks INT 9 (keyboard), and when Alt-Ctrl-Del keys are struck, it runs itself with a video effect. It also contains the text string:
sUMATHS

Jeru.Miky.2350
This is a dangerous virus that hooks INT 8, 16h, and 21h, and infects .COM and .EXE files. It sets the disk label to 'Miky', shifts the screen and displays:
MIKY 786290 B livia

Jeru.Plastique
"Jerusalem" family. These viruses hook INT 8, 9, 13h, and 21h, and erase the contents of the logical drives when file ACAD.EXE is started. Then they play a tune, and slow down the computer (delay loop in INT 8 handler). On the 4000th key entered on a keyboard, the virus erases one randomly selected sector on the current disk.
These viruses contain the encrypted strings:
ACAD.EXECOMMAND.COM.COM.EXE
Program: Plastique 4.51 (plastic bomb), Copyright (C) 1988, 1989 by ABT Group.Thanks to: Mr. Lin (IECS 762??), Mr. Cheng (FCU Inf-Center)
Jeru.Raquel
This is a variant of the "Jeru.Plastique" virus. Depending on its internal counter, it erases the CMOS memory. It contains the encrypted text:
Copyright (C) 1988, 1989 by ABT Group
Virus RAQUEL v.9 (c) IMV Galicia '94

Jeru.Roger
"Jerusalem" family. This is a benign virus. On the 11th and 23th of any month, it hooks INT 13h, and displays the following message:
+------------------------------------+
| ROGER ESPEJO M. |
| Telef. 45-1838 |
| Lima - Per£ |
+------------------------------------+

Taiwan.2576,3088
"Jerusalem" family. "Taiwan.2576" is dangerous - as ACAD.EXE is executed, the virus overwrites this file with the text (see below), and then deletes this file. The text is:
To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS.This is a test-program, the real dangerous code will implement on November. I use MASM to generate varius virus easily and you must use DEBUG aginst my virus hardly, that is foolish. Save your time until next month. OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU.
This virus also contains the text "ACAD.EXECOMMAND.COM", and plays a tune.
"Taiwan.3088 and 3454" contain the text:
To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY VACCINE against THIS VIRUS.This is a test-program, the real dangerous code (combines Disk Killer & Dark Friday) will be implemented before long.I use MASM to generate various virus easily and it is vain to DEBUG my virus, it is a fool to do that. You(S.I.R) will try to challenge to me?, you are stupid to do this.Your Sincerely, ABT Group., Lee. S.W. Oct 13th, 1989 at FCU. PS: 1. To FCU Info-Center, Please update new carbon ink belt. 2. Fuck you Mechanic Eng., do not speak so loudly in the Computer Lab. 3. Confound you, Mr.President, I wish you go to Hell ! ============= , and anotherall Endanger declaraction : This is a hacker who want to rule the computer technology as the Golden game rule, namely, everyone who frunk me is a "son of bitch". How can teacher do such crue thing as to hurt a timid soul and taking this as funny play-game.
Taiwan.2900
"Jerusalem" family. It hooks INT 8,9,13h,16h, and 21h, and infects files that are executed or opened.
When the ACAD.EXE file is executed, the virus erases information on all available disks. Approximately once a month, after about 10 hours of uninterrupted operation, the virus plays a rather a dull tune. If at this time one presses Alt-Ctrl-Del, then the same effect as upon executing ACAD.EXE occurrs.
The virus contains the encrypted strings:
ACAD.EXE
COMMAND.COM.COM.EXE
Copyright (C) 1988, 1989 by ABT Group

Tobacco.2900
"Jerusalem" family. It hooks INT 8,9,13h,16h, and 21h, and runs itself in the same way as "Taiwan.2900". This virus contains the strings:
ACAD.EXE COMMAND.COM.COM.EXE Copyright (C) 1988, 1989 by ABT Group
Tobacco v2
AntiDacha. We don't want gypsies in our world. We don't want DACHAs.
1991 2nd Tabacalera gana siempre. Tobacco Ver. 2.0

"Jerusalem.Tobacco.c" contains the strings:
Virus RAQUEL vK&S (c) IMV Galicia '95.
Exercito Guerrilheiro forever Id Software are the Best.
Buy DOOM2:Hell on Earth.
Take my Tobacco box! CLRG loves danger. 3rd

Totoro.1536
"Jerusalem" family. On Saturday, it hooks INT 8 (timer), and sometimes displays the message:
+----------------------+
| Totoro Dragon |
|Hello! I am TOTORO CAT|
| Written by Y.T.J.C.T |
| in Ping Tung. TAIWAN |
| Don't Worry,be Happy |
+----------------------+

Check other viruses! Be aware! Use Antiviral Software

Ignorance

Description Ignorance

It is a harmless memory resident multipartite encrypted virus. While loading from an infected floppy disk or MBR it hooks INT 13h, waits for DOS loading and then it hooks INT 21h. While executing an infected file the virus infects the MBR of the hard drive, then hooks INT 13h and 21h. By hooking INT 13h it realizes stealth algorithm on reading the infected MBR, it also uses INT 13h for floppy boot sectors infection. By hooking INT 21h it writes itself to the end of COM, EXE and SYS files that are accessed. The virus contains the text strings:
Ignorance is Strength
Freedom is Slavery
War is Peace
COMEXEBINOVLSYSSCCLVSF-
[1984] bY [TäLöN< >NûK_] '93! THiS iZ iNFeCTi0N #00000032!
Greetz RS/NuKE!

where "#00000032" is virus generation number, that value may be not the same in different infected files/sectors. "COMEXESYSBINOVL" is the string of the file name extensions which are "infectable". "SCCLVSF-" is the string of the anti-virus software names (two bytes per name: SCAN.EXE, CLEAN.EXE, e.t.c.). While executing these files the virus disables some of its semi-stealth algorithm branches.

IIS-Worm.BlueCode

Description IIS-Worm.BlueCode

This is an Internet worm that targets Web sites by infecting Internet Information Servers (ISS). The worm perpetrates this method of spreading from one Web site to another by sending and executing its EXE file.
The name of the worm's files are consistant - SVCHOST.EXE and HTTPEXT.DLL. The EXE file is a Win32 application (PE EXE file) about 29K in length, and it is written in Microsoft C++. There also was a compressed variant discovered, which is about 14K in size. The DLL file is about 47K in size, and it is written in Microsoft C++.
Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000 installations in the SYSTEM32 subfolder.
The worm infects only machines installed with the IIS package and Web site contents. The worm application, upon being run on a such machine, locates and infects remote Web sites (remote machines with installed IIS package): it enters them and, by using a Web Directory Traversal exploit, sends its copy there, and spawns that copy. As a result, the worm infects all vlunerable Web servers that can be accessed from current a infected machine, and other infected servers spread the worm copy further, and so on.
The worm has a payload routine that, from 10:00 am till 11:00 am global time, performs a DoS attack (Deny of Service) on the http://www.nsfocus.com Web server.
Installing
The worm creates its copies (EXE and DLL) in the root of C: drive - C:SVCHOST.EXE and C:HTTPEXT.DLL. This EXE file is then registered in the Registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Domain Manager = C:svchost.exe
The worm then creates and swapns a C:D.VBS script file, then looks for the INETINFO.EXE application and terminates it if it is active. The VBS script program also searches for Indexing Service, Indexing Query and printer mapping and removes them.
As a result, the worm disables security breaches that can be used (or were used) by other worms to infect the machine and/or hackers to break through the Web-security protections.
Spreading
To spread further, the worm runs 100 threads that scan randomly selected IP addresses and attacks them.
In 50% of the cases, the attacked machines are in the same network, and the attacked IP addresses are "aa.bb.??.??", where "aa.bb" is part of the infected machine IP address, and "??" are random.
In the other 50% of the cases, the attacked addresses are very random.
To attack a victim machine, the worm uses the Web Directory Traversal exploit three times:
it tries to determine the IIS directory on a remote machine,
then sends a request to the remote machine to download the DLL component of the virus (HTTPEXT.DLL file) from the infected one,
the last request is to copy that DLL file to the C: root directory.
To upload a DLL file to a victim machine, the worm uses a "tftp" command, and activates the temporary TFTP server on an infected (current) machine to process a "get data" command from the victim (remote) machine.
When a DLL file is uploaded to the victim machine, it is activated by a trick. So, the worm copy starts on a remote server, then it drops and executes the EXE component that then spreads the virus futhrer.

Home