Virus Database

Lip.286

Description Lip.286

This is a very dangerous nonmemory resident parasitic virus. It searches for .COM files of the current directory and writes itself to the end of the file. Some infected files upon their start display the text:
(C)RomlSoft(LipPI)1991

and then erase FAT and boot sector of the current disk.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Wallon.a

Description I-Worm.Wallon.a

Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:
<HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial size=2><BR>
<A href="http://drs.yahoo.com/[recipient domain]/NEWS/
*http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/[recipient domain]/NEWS">
http://drs.yahoo.com/[recipient domain]/NEWS
</A></FONT></DIV></BODY></HTML>
A screenshot of the infected message follows:

When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCUSOFTWAREMicrosoftInternet ExplorerMain]
"Wh" = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server.

I-Worm.Wargam

Description I-Worm.Wargam

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 77Kb in length (encrypted by ASProtect EXE files protection utility), and written in Borland C++.
The infected messages have one of the three following variants of the Subject/Body/Attached file:
Subject: Mail to %RecipientEmail%
Body: I send you this patch.
It corrects a bug into Internet Explorer and Outlook.
Attachment: patch.exe
or

or

The worm activates from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory twice with the "article.doc.exe" name and with a random ".exe" name (like WVUUQ.EXE), and then registers the latter file in:
under Win9x: WIN.INI file, [windows] section, "run=" command
under WinNT: system registry Run= key.

The worm also creates additional registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallWarGames Worm
DisplayName = Wargames Uninstall
UninstallString = rundll32 mouse,disable

The worm also looks for several programs and attempts to terminate their processes. In this list there are anti-virus programs, as well as a few wildspread viruses:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE
KERN32.EXE
SETUP.EXE
RUNDLLW32.EXE
GONER.SCR
LOAD.EXE
INETD.EXE
FILES32.VXD
SCAM32.EXE
GDI32.EXE
_SETUP.EXE
EXPLORE.EXE
ZIPPED_FILES.EXE

Spreading
To send infected messages, the worm uses three different ways (and sends messages of three different types - see above).
First, the worm scans *.HT*, *.DOC and *.XLS files in the Windows directory in a user's Personal, Desktop, Favorites and Internet Cache directories, looks for e-mail addresses in there and then sends infected messages to these addresses.
Next, the virus creates the "wargames.vbs" file in the Windows directory, writes a VBS script to there and runs it. The scripts sends infected messages to all addresses from the MS Outlook Address Book.
At the end, the worm, by using Windows MAPI functions, connects to the incoming e-mail box and "answers" all the messages from there.

Home