LazyToday.1203
Description LazyToday.1203
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. Depending on the system date it displays the message:
Forget it, I'm lazy today!
and exits to DOS instead of executing the host program.
Check other viruses! Be aware! Use Antiviral Software
I-Worm.Gismor
Description I-Worm.Gismor
This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 8Kb of length written in Assembler.
The infected messages have following fields:
Mail From: < Gismo@gmx.de >
From: MP3 Deluxe
To: My best friends
Subject: Phenomenal
Body: body is empty
Attach: MP3Player.exe
To run from infected message the worm uses IFrame security breach. The worm then installs itself to the system and runs spreading routine.
While installing the worm copies itself to Windows system directory with the SSMS.EXE name and registers this file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
To send infected messages the worm uses direct connection to default SMTP server, or to "mail.gmx.net" server.
To get victims' email addresses the worm uses Windows MAPI functions and reads emails from email boxes.
I-Worm.Gizer.c
Description I-Worm.Gizer.c
Gizer is a worm virus spreading via the Internet as an attachment to infected emails - it appends itself to Zip archives.
The worm itself is a Windows PE EXE file about 8 KB in length and written in Assembly language.
Infected messages have the following characteristics:
From: Microsoft Critical Response Team
Subject: Urgent message for all Windows users
Body:
Dear Windows User, The Microsoft Security Experts have discovered a bug inside the Windows files that poses a security threat to all versions of Windows newer than Windows98 (including Windows98). Virus experts have reported that few known viruses have been identified using this exploit, but more are expected. A patch has been supplied with this email and will fix the security hole. **THIS MESSAGE WAS DELIVERED BY THE AUTHOR FROM ENERGY WORM !!!** Attachment name: patch.exe
The worm activates from infected email only when a user clicks on the attached file.
The worm does not install itself to the system and is not repeatedly activated. The only way to run the virus again is to double click the attached file.
When the worm is launched, it copies itself to the current folder under the name windows.tmp, and displays the following message:
Could not patch due to bad CRC!
Spreading: e-mail
To send infected messages the worm connects to the SMTP server specified as the default in Windows. Gizer then sends messages to all addresses found in the Windows address book (WAB database).
Spreading: archives
Gizer also searches for all files with the .ZIP extension on all hard drives and appends its copy to them.
|