Virus Database

Macro.Word.Johnny.a

Description Macro.Word.Johnny.a

This encrypted macro virus contains six macros, four of them are original ones, the other two are copies and they may have different names in NORMAL.DOT and infected documents:
NORMAL.DOT Infected file
Macro1 Presentv Presentv
AutoOpen
Macro2 Presentw Presentw
FileSaveAs
Macro3 Presentz Presentz
FileSave FileSave
Macro4 vGojohnny vGojohnny

The virus infects global macros area on AutoOpen and writes itself to documents on FileSave and FileSaveAs.
In some cases the virus creates new document and inserts the texts to there:
NAIPESVOH REHM

It then prints the message to status line:
Starting Autosave

The virus contains the commented line:
Our devise - A copy of "Go Johnny Go" on every computer !

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Kiray

Description I-Worm.Kiray

This is a worm virus that spreads via the Internet using Microsoft Outlook. The worm appears as an email message with the attached file Kiray.EXE.
When the EXE-file is run the worm modify some of the keys in the system registry:
HKCRexefileshellopencommand""="c:windows empKiray.exe"
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop=1
NoDrives=1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoNetSetup=1
This allows the worm to run its routine when running any EXE-file and after restarting the system, all icons from "Desktop" and disks icons from "My computer" are hidden.
Then the worm uses MAPI to spread itself via e-mail, by creating messages to all recipients in the Outlook address book:
Subject: Please make peace not war
Body message: The Lamers and Idiots Game
Attach: Kiray.exe

The worm also tries to check Windows Address Book (WAB) which is registered in the system registry:
HKEY_CURRENT_USERSoftwareMicrosoftWAB
Finally the worm tries to remove all files in the following directories:
c:windows*.* c:windowssystem*.* c:Program FilesMicrosoft Office*.* c:Program FilesInternet Explorer*.*
The worm is only fully functional if the attachment is saved by the user to C:WINDOWSTEMP directory. Otherwise the worm cannot spread correctly from the infected machine, as the worm's message is sent without the attached exe. file.

I-Worm.Kitro.a

Description I-Worm.Kitro.a

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server.
This version of the worm is able to spread only by sending itself in e-mail attachments. The worm is an EXE file, its size is 220160 bytes.
Installation
The worm copies itself to the following locations:
c:system32.exe
c:archiv~1psycho.scr
The worm also sets its copy located in the root directory of disk C: up to start automatically with Windows by writing the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"msn"="c:system32.exe"
The worm gathers information about .NET Messenger contact recipients by reading "Permission" values from the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftMessengerServiceListCache.NET Messenger Service]
Value names: Allow0, Allow1, etc.
It writes all addresses gathered into the file named kiltro.dat in the current directory. Messages that are sent by the worm contain an attached file named Psycho.scr. If the worm finds its copy already installed in the system it hides the system tray window and shows some messages.
Other
The worm creates the following text files:
c:windat.vxd
c:windat.dll
with the following contents:
Programado en Santiago de Chile por ErGrone

Home