Virus Database

Astra Family

Description Astra Family

Astra.498,510,521
These are not dangerous memory resident parasitic viruses. They move themselves into Interrupt Vectors Table at the address 0020:XXXX, hook INT 21h and infect SYS-files of the current directory on every call to DOS function FindFirst. The viruses write themselves at the file end, in which they modify only interrupt subroutine address.
The viruses of this family contain the text "(5)" and depending of the virus version one of the following strings:
(C) AsTrA,1990,JPN
(C) AsTrA,1990
(C) AsTrA,JPN
(C) AsTrA, 1991

The infectors display one of the messages:
I like cold flavour !
I like fragrant smell of flower!
I like a flower's smell!

"Astra.7821" displays a picture in graphic video mode.
Astra_II viruses
These are dangerous memory resident encrypted parasitic viruses. On execution they search for not infected files and hit them, hook INT 21h and stay memory resident. Then these viruses infect the files are executed. "Astra_II.505,882,976" hit COM-files only, other "Astra_II" viruses hit both COM- and EXE-files, "Astra_II.1556" hits COM-, EXE- and SYS-files.
In depending of system timer they encrypt (XOR 55h) Disk Partition Table of hard drive's MBR, then some of them change video font table. They contain the internal strings:
"Astra_II.505": (C) AsTrA, 1991 (1)
"Astra_II.882,976": (C) AsTrA, 1991 (2)
"Astra_II.927": (C) AsTrA, 1991 Child's Play (3)
"Astra_II.1010": (C) AsTrA, 1992 (3)
"Astra_II.1556": Child's Play (C) AsTrA
4D *.COM *.EXE *.SYS (4)

Check other viruses! Be aware! Use Antiviral Software

I-Worm.MyLife.c

Description I-Worm.MyLife.c

MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:


While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 8Kb.
Decompressed file size : about 25Kb.
Email content:
Subject:
The List

Body:

Hiiiii
How are youuuuuuuu?
Here is that Notepad you asked for all don't show anyone else ;-)
Notepad = list
list = 137
buyyyy
========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------
Attachment name:
List.TXT.scr
File name in the infected system:
%SystemDir%List.TXT.scr
Affected registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
sys=%SystemDir%List.TXT.scr
Visual effect: when MyLife is launched for the first time, it displays the following message:


Payload: MyLife checks the current date, if the current minute value is greater or equal to 50 it executes format commands for disks D:, E:, F:, G:, H: and I:, it also deletes all the files and directories on disk C:. Then the worm shows the following message:

I-Worm.MyLife.d

Description I-Worm.MyLife.d

MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:


While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 9Kb.
Decompressed file size : about 25Kb.
Email content:
Subject:
New Screen Saver
Body:

Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? Ok
buy
========No Viruse Found========
Attachment name:
Screen.scr
File name in the infected system:
%SystemDir%Screen.scr
Affected registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Screen=%SystemDir%Screen.scr
Visual effect: when MyLife is launched for the first time it displays the following message:

? Error ?
? Error 1452544 File Not Found ?
Payload:when the worm is launched for the second time it deletes .SYS files in the Windows directory, files with the extensions .SYS, .VXD in the Windows System directory and all files in the C: root directory.

Home