Virus Database

Macro.Excel.Compat

Description Macro.Excel.Compat

This is a polymorphic Excel macro virus. It contains one module with 11 functions inside: Macro1, Macro2, Macro3, Macro4, Macro5, Macro6, Macro7, Auto_Open, Auto_Close, Auto_Exit, Auto_Help.
The virus runs its infection routine on opening files, switching sheets, or on timer events. While infecting the virus polymorphic engine inserts into the virus code random generated comments. The name of virus module is also randomly generated.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Menace

Description I-Worm.Menace

This is a virus-worm that spreads via the Internet by using AOL client. The worm itself is a Win32 application (PE EXE file) about 86K in size, and is written in VisualBasic 6.0.
The worm arrives as a SOFUNNY.EXE file attached to an e-mail message that has one of two Subjects and the same Body:
Subject1: Fwd: This is great! =)
Subject2: Fwd: This is hilarious! =)
Body: You guys have to download this! This really is funny!
To spread, the worm waits until AOL client is active, manipulates the AOL functions, gains access to in-box e-mails, and replies to them with an infected messages (note: this has not tested in the Lab).
The worm also has password-stealing ability, and sends AOL-login and passwords from infected computers to its host.
When the worm is run (from infected message), it displays a fake error message:
Fatal Error #6834
An unknown error has occurred.
The worm then copies itself to the Windows directory exactly as follows:
C:WINDOWSmsdos423.exe
C:WINDOWSSOFUNNY.exe
One of these files is then registered in the auto-run registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun msdos423 = c:windowsmsdos423.exe
The worm also creates an additional file, C:WINDOWSmsdos423.ini, and stores itself in there, for example:
[Setup]
Copied = True
Sent = True
Uploaded = True
The worm also contains the "copyright" text strings:
AOL PWS for version 4, 5, & 6. Now a worm too! By Menace

I-Worm.Merkur

Description I-Worm.Merkur

This is the worm virus spreading via the Internet being attached to infected emails, through P2P networks and IRC channels. The worm itself is a Windows PE EXE file about 45Kb of length written in Visual Basic.
The infected messages have following fields:
Subject: Update your Anti-virus Software

Attach is randomly selected from three variants:
AVupdate.exe
taskman.exe
uninstall.exe

Body:
Here is a patch for your AV software, it will cover all the latest out breaks of worms ect
(worms as in virus not earth worms! lol)

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to the system with following names:
c:WINDOWS askman.exe
c:AutoExec.exe
c:WindowsSystemAVupdate.exe
c:Program Filesuninstall.exe
c:WindowsNotepad.exe
c:windowsscreensaver.exe

The "AVUpdate.exe" is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AVupdate = c:WindowsSystemAVupdate.exe

All directory names are hardcoded in worm body, thus it fails to copy itself and infect the system in case there are not such directories as "C:Windows", e.t.c.
Spreading: Email
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: IRC
The worm creates new "c:mIRCscript.ini" and "c:mIRCProgram Filesscript.ini" files and writes IRC commands to there that send the message to anybody who joins infected channel:
Hi want a cool screen saver?

and then send the worm copy with the "screensaver.exe" name.

Spreading: P2P
To spread through P2P networks the worm affects following Kazaa, eDonkey and BearShare directories by copying its copies into there:
c:program fileskazaamy shared folderIPspoofer.exe
c:program filesearsharesharedIPspoofer.exe
c:program fileseDonkey2000incomingIPspoofer.exe
c:program fileskazaamy shared folderVirtual Sex Simulator.exe
c:program filesearsharesharedVirtual Sex Simulator.exe
c:program fileseDonkey2000incomingVirtual Sex Simulator.exe

Trojan Routine
The worm also has trojan routine, that deletes all files:
*.jpg, *.mpg, *.bmp, *.avi
in directories:
C:Program FilesKazaaMy Shared Folder c:program filesearshareshared c:program fileseDonkey2000incoming
To do that the worm drops trojan commands to c:pr0n.bat DOS batch file, executes it, and then deletes it.
Other
The worm displays message boxes:
on December 31st:
Win32.mercury@mm
allSaving the world before bed time...

on February 16th:

Win32.mercury@mm
...Win32.mercury Coded by Industry @ ANVXgroup...

on April 2nd:
Win32.mercury@mm
...Shout out to Every one @ Indovirus...

Home