Virus Database

Macro.Word.Incarnate

Description Macro.Word.Incarnate

This is the Word macro virus. It contains seven macros: AutoExec, AutoExit, FileSave, AutoClose, FileClose, FileSaveAs, ToolsMacro.
The virus infects the global macros area (NORMAL.DOT) on closing an infected document (AutoClose, FileClose) and writes itself to documents that are saved (FileSave) or saved with new name (FileSaveAs). The virus contains a bug and while infecting by FileClose copies the same macros FileSaveAs to new macros FileSave and FileSaveAs. As a result the virus discloses itself on saving a document - instead of saving Word displays the FileSaveAs dialog box.
While closing a document the virus also appends the its end the text:
To end with, I would like to sayall
To defy me is to bring upon my wrath...
For I am CyberDarkness
I am Darkness Incarnate...
I will Not be Denied!!!
<year> CyberDarkness

On leaving Word the virus writes new Desktop color set to the WIN.INI file.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Maldal

Description I-Worm.Maldal

This is a dangerous virus-worm that spreads via the Internet attached to infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm also creates destructive payloads.
The worm itself is a Windows PE EXE file about 36.5K in length, and is written in Visual Basic 5.
The infected messages contain:

The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload. It displays the following picture only once:

Installation
While installing, the worm copies itself to the Windows system directory with the name "Christmas.exe" and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Zacker = < windir >Christmas.exe
Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Installation of the other worm
The worm changes a start page for the Internet Explorer to the:http://geocities.com/jobreee/ZaCker.htm*.
This HTM file contains another Internet worm: VBS.Kerza that will be run after Internet Explorer has been started.
Destructive payload
The worm blocks a keyboard and tries to delete all files in the Windows System directory.
*WARNING: DO NOT USE THIS LINK!

I-Worm.Manymize

Description I-Worm.Manymize

This is an Internet worm that replicates by sending infected e-mail messages. It uses several vulnerabilities in the Microsoft Internet Explorer, Outlook and Windows Media Player to start automatically when an infected message is viewed.
Infected Messages
Infected messages that are sent by the worm have various subjects and message bodies, that are generated from several pre-defined strings.
From field: Display name and e-mail address of the infected computer's owner.
Possible subjects:
Hi (recipient's name)
Dear (recipient's name)
Hello (recipient's name)
My friend, (recipient's name)
How are you !! (recipient's name)
Message bodies are concatenated from the following strings:
Hi (recipient's name) , See this funny video.
Dear (recipient's name) , This is interesting movie.
Hello (recipient's name) + , Open the + cute + penguin.
My friend, (recipient's name) , Attached is my amusing clip.
How are you !! (recipient's name) , Watch my special tape.
For example,
Dear Vasily Pupkin, Watch my amusing video.
Infected messages contain the following attachments:
mi2.chm, 11397 bytes
mi2.exe, 73752 bytes
mi2.htm, 539 bytes
mi2.wmv, 19485 bytes
Installation
The worm doesn't install itself in the infected system, and is launched only when it is executed from an infected message.
Replication
The worm accesses information from the Windows Address Book (WAB) to get e-mail addresses, and then sends infected messages to these addresses. To send infected messages it uses a direct connection to the default SMTP server set up in the infected system.
Other
The worm sends a "notification message" to several addresses at the "pchome.com.tw" mail domain that are randomly selected from a list of 120 e-mail addresses. The subject of this message contains the default e-mail address of the infected computer's owner.

Home