Virus Database

Macro.Excel97.Laroux.oe

Description Macro.Excel97.Laroux.oe

This virus infects Excel sheets. It contains two macros: auto_open, al_muskilat. To infect the system the virus creates the infected PERSONAL.XLS file in the Excel startup directory. To infect other files the virus hooks sheets activation procedure.
The virus erases the "Tools/Macroall" menu item. Depending the on system random counter it displays the MessageBox:
Ha....Ha....Ha... [VBB]
You've Been Infected By Guyan!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Beglur.b

Description I-Worm.Beglur.b
This is a worm which spreads via the Internet and local networks as an attachment to infected emails. The worm itself is a Windows PE EXE file of approximately 20KB. The file is compressed using UPX and Yoda, and the uncompressed size is approximately 35KB. It is written in Visual C++ The worm has the following 'copyright' text string:
W32.Narita
Infected messages will contain text in the message fields which is randomly selected from the following:
From:
Microsoft support@microsoft.com
Terrorist George W. Bush president@whitehouse.gov
Terrorist Ariel Sharon pm_eng@pmo.gov.il
careless ch@care.net
media
Rumsfeld rumsfeld@pentagon.net
Maybank security@maybank2u.com
condemn fool@first.gov
Bin Laden osama@fbi.gov
BushScare president@white.gov


Subject:
Hi!
Bad news!
Free porn!
Report!
Hack me!
Bussiness
News!
Warning!
hello
Buy 1 Free 2
Need help!
plz!
Re:
great!
you are!
Your resume
Update
Spend Money
Too easy
oh wow
nice job!
High security
Command lineCreate own disk
keep the File
Help Section
Unknown Header
Possible Word
My Webs
Protokol
Compress Sample
Sensitive Name
Deliver
System Error
microsoft
installer
personal info
sample music
internet proxy


Message body:
check your attachment now!
(empty)
Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
Alex Pravoks
For the truth of love! I have suprise to you! Please baby forgive me!
Ronn Elika
Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
Orlian Jieg
Hello friend,
I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!

A message you have received has been converte to an attachment. I sorry cause that problem.

The name of the attached file is also randomly selected, and will have one of the following extensions: .scr .pif .exe .com .bat
The worm uses the 'IFRAME' security breach to launch itself from infected messages.
Installation
The worm copies itself to the Windows system directory under a random name and registers the file in the SYSTEM.INI auto-run key in the [boot] section in the 'shell' key.
Distribution via email
To get victim email addresses the worm scans files with the following extensions: .TXT .MHT .HTM .HTML .EML .JSE .ASP .DBX .MBX .MMF .TBB .NCH .ODS .VCF .WAB
To send infected messages the worm uses a built-in SMTP engine.
Distribution via networks
The worm copies itself to shared network drives and to all logical drives under a random name, or named 'setup' or 'installer', with one of the following extensions: .scr .pif .exe .com .bat
Other
The worm contains a backdoor routine which will allow a hacker to create, delete, rename files and directories, and execute commands on affected machines.
The worm also attempts to terminate several anti-virus and firewall programs.

I-Worm.Blebla.a

Description I-Worm.Blebla.a

This is a worm virus spreading via the Internet. It was discovered in Poland on November 16, 2000. The worm appears as an e-mail message that has the HTML format and has two attached files: MYJULIET.CHM and MYROMEO.EXE.
When an infected message is opened, the HTML part of it is executed. This part contains a script program that is automatically activated by Windows. By using a vulnerability in Windows scripting, the script program loads and activates the CHM component of the message (the MYJULIET.CHM file). That CHM component is a Compressed HTML page itself and contains one more script program in it. That second script executes the MYROMEO.EXE file, which is the main worm body itself.
So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself, the worm uses a vulnerability in Windows scripting security: the worm's HTML component is able to run a EXE component by a method that is listed in "save scripting," so no warning messages are displayed when the worm runs its components (under default Windows settings).
The main worm component (MYROMEO.EXE file) is a Windows PE executable file about 30Kb in length. This file is compressed by a UPX compression utility. Being unpacked, it appears to be a 70Kb EXE file written in Delphi, and the "pure" code in the file occupies just about 6Kb.
When it is run, it opens the Windows Address Book, reads E-mail addresses from there and sends its HTML message with attached CHM and EXE files there. The message has a Subject that is randomly selected from the following list:
Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorryall
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under some Windows98/NT English editions. The worm also is able to spread only in case Windows is installed to C:WINDOWS directory (that is hardcoded in worm code).
Blebla.b
A remake of original worm. When starts it copies itself to system with "c:windowssysrnj.exe" name and creates and modifies many Registry key to activate this copy:
HKEY_CLASSES_ROOT njfile
DefaultIcon = %1
shellopencommand = sysrnj.exe "%1" %*
this key caused worm copy run when "rnjfile" is referred. Then the worm modifies key:
HKEY_CLASSES_ROOT .exe = rnjfile
.jpg = rnjfile
.jpeg = rnjfile
.jpe = rnjfile
.bmp = rnjfile
.gif = rnjfile
.avi = rnjfile
.mpg = rnjfile
.mpeg = rnjfile
.wmf = rnjfile
.wma = rnjfile
.wmv = rnjfile
.mp3 = rnjfile
.mp2 = rnjfile
.vqf = rnjfile
.doc = rnjfile
.xls = rnjfile
.zip = rnjfile
.rar = rnjfile
.lha = rnjfile
.arj = rnjfile
.reg = rnjfile
these keys cause worm copy start when any of files listed above are opened.
The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" [romeo@juliet.v]
Subject:[Romeo&Juliet] R.i.P.
While sending its copies to personal address the worm uses empty Subject, random generated Subject, or one from the list:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:
Depending on some conditions the worm also created disk directories with random name in Recycled folder and creates random named files in there.

Home