Virus Database

Macro.Word.Gas

Description Macro.Word.Gas

This virus contains macros:
Documents NORMAL.DOT
AutoOpen GAS
I R, AutoClose, FileTemplates, ToolsMacro, Autoexec
A S, FileSaveAs

Depending on the current date it inserts into C:AUTOEXEC.BAT the commands:
BREAK OFF
If exist C:GAS.BAT call GAS.BAT
BREAK ON

To the C:GAS.BAT file the virus writes the commands that delete the *.JPG, *.GIF, *.BMP files on the C: drive, including subdirectories. Depending on current seconds the virus outputs the string to the statusline :
A s s a l a m u a l a i k u m

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Ciosor

Description I-Worm.Ciosor

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 107Kb of length, written in Visual Basic (VB5).
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.
The infected messages have different texts and attached file names, they are randomly selected by worm while spreading from following variants:
Subjects are:
Cuidado con los virus!!! Tienes un virus!!! Me lo baje de Internet Una coña de la red
Bodies are:
%virusname% is "Nimda", "Magistr" or "Sircam".
Saludos
Me ha llegado el virus %virusname%, de tu ordenador, ya es la segunda vez
Pasa la vacuna que te envío, de Norton Antivirus
Y ten mas cuidado la próxima vez!
Un Saludo
Por Favor, revise su ordenador, me ha enviado el virus %virusname%
Le envío la vacuna facilitada por Norton Antivirus
Un Saludo
Hola, perdona, que te moleste, pero me has enviado un virus, el %virusname%
Te envío la vacuna de panda, Ten mas cuidado la próxima vez!
Hola
Te envío un fichero que me bajado de Internet, es una broma. mueve él
Ratón por toda la pantalla. No se quita ni pulsando control+alt+supr,
Jeje, al final hay que reiniciar. <
Attach filenames are:
MueveRaton.exe
AntiMagistr.exe
AntiNimda.exe
AntiSircam.exe
To send infected messages the worm scans *.EML, *.NWS, and *.DBX files, gets victim email addresses from there, then connects to SMTP server smtp.terra.es,then sends infected messages.
Installing
While installing the worm copies itself to Windows system directory with the REGWIZ.EXE name (and overwrites original Windows REGWIZ.EXE file in there),and registers this file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun regwiz = %systemdir% egwiz.EXE
The worm also sets ReadOnly, Hidden and System attributes for this file.
The worm then displays fake error message:
no es una aplicación Win32 válida
[ OK ]
Payload
The worm adds to C:MSDOS.SYS file the command:
BootKeys=0
The effect of this is unability to break or trace booting process under Win9x systems.
The worm then stays in Windows memory as hidden application (system service) and runs payload routine - the mouse cusror is randomly moved on the screen, and mouse becomes unusable.
The worm also runs its internal counter in the registry key:
HKCUSoftwareVB and VBA Program Settings egwizconfig
ejec = %number%
and increases this valie on each run. When this counter reaches 75, the worm alteres the registry key:
HKCUControl PanelDesktopScreenSaveActive = 0
then exits Windows and restarts the machine.

I-Worm.CoolNotepad

Description I-Worm.CoolNotepad

This is a VBS Internet worm based on the "LoveLetter" worm. The worm spreads attached to e-mail messages:
Subject:
Cool Notepad Demo
Message body:
Hey check out this text file I sent it will do something neat in notepad.
Enjoy :-)
Attachments name:
COOL_NOTEPAD_DEMO.TXT.vbs
To send infected messages, the worm uses MS Outlook and sends its copies to all addresses listed in the Outlook address book.
The worm also sends its copy to the IRC channel. To do that, it overwrites the SCRIPT.INI file in the mIRC directory with a set of commands that send the worm file to everybody who enters the infected channel. When an infected user enters an IRC channel, the worm also enters a "virus" conference, then sends the message to there:
Cool Notepad Demo
and leaves that conference.
The worm also creates its copy COOL_NOTEPAD_DEMO.TXT.vbs in the Windows system directory and registers it in the system registry in the auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun COOL_NOTEPAD_DEMO = FileName
where FileName is the full name of the worm copy in the Windows system directory.
The worm has a side effect. It hides all icons on the Desktop by a Registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NoDesktop = 1

Home