Virus Database

Macro.Excel.Soldier

Description Macro.Excel.Soldier

This is a polymorphic macro virus. It contains four actual function: Auto_Open, Auto_Close, Delay, Poly, as well as random number of junk functions with random names.
On closing an infected file the virus searches and infects files in the current directory. While infecting the virus depending on system random counter inserts into the top of its code functions with random name and random contents (polymorphic).
On opening an infected file the virus erases menu items Format/Sheet/Hide and Format/Sheet/Unhideall (stealth).
Depending on random counter the virus displays to the Excel caption the running line:
Microsoft Excel

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Vote

Description I-Worm.Vote

This Internet worm spreads via e-mail messages using MS Outlook. Upon being executed, the worm sends infected messages to all addresses stored in the Outlook address book, then it overwrites all HTML files on the local disk drives. Upon the next Windows start-up, the worm tries to delete all files in the Windows folder, and reboots the computer.
The worm arrives to a computer as an e-mail message with an attached executable file that is the worm itself. The malicious message contains the following:

The worm doesn't run automatically from e-mail. It is activated only when a user starts it manually (by double-clicking on the attachment).
Upon being executed, the worm sends infected messages to all addresses stored in the Outlook address book. Then it opens two Internet browsers utilizing sites that are closed at the moment. Also, it replaces the Internet Explorer start-up page with one of its own. Following this, the worm drops two different VBS files.
The first one is named "MixDaLaL.vbs" that the worm creates and runs immediately in the Windows folder. This file has a script program that searches for files with HTM and HTML extensions on all removable and local hard drives, and overwrites them with a short text:
AmeRiCa allFew Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You
The second VSB file the worm drops into the Windows system folder with the name, "ZaCker.vbs", and registers it in the auto-run registry section. This means the file will be automatically executed upon the next Windows start-up. Upon being executed, it attempts to delete all files in the Windows directory, overwrites AUTOEXEC.BAT with a command destroying all data on drive C:, and then it displays the following message:

The worm finally reboots the computer. As a result, the system may be rendered unbootable or all data may be destroyed.

I-Worm.Vybab

Description I-Worm.Vybab

This worm spreads via the Internet as an attachment to infected messages. It can also infect EXE files.
It is a PE EXE file written in Borland Delphi and is approximately 140 KB in size.
Installation
When installing itself to the system, the worm creates a file named 123.txt in the Windows directory. This file contains the following text string:
babyv ; made of Ran
It also creates files in the root directory and the Windows directory. The names of these files are created from three random characters and one of the following extensions:
bat
exe
htm
rar
doc
xls
These files do not contain the body of the worm.
The worm copies itself to a temporary file named seeyou.rar in the C: root directory.
It also creates a file named echo.vbs in the Windows temporary directory. This file contains the script which enables the worm to propagate via email.
Propagation via email
Each time the worm or one of the infected files is launched, the worm sends itself to all addresses in the MS Outlook address book. Infected emails have the following characterstics:
Message header:
Microsoft Pack3, ;o)
Message text:
Hi:
This is Microsoft client server center
Check This!
Infecting EXE files
When the worm is launched for the first time, it infects EXE files located in the Program Files directory, and in the directory which the worm was launched from. It writes itself to the beginning of those files.
After this the worm searches all directories on all accessible drives and infects all EXE files found.
When an infected file is launched, the virus copies itself into the root directory of every available drive and sends itself via email. The original uninfected file is saved in the Windows temporary directory and will re-establish control once the worm finishes the infection process.

Home