Virus Database

Macro.Word.Mark

Description Macro.Word.Mark

This is an encrypted Chinese Word macro virus. It contains five macros: A, B, AutoExec, AutoOpen, ToolsMacro (stealth). The virus replicates itself when documents are opened (AutoOpen).
Depending on the random counter the virus creates a new document and writes to there a text in Chinese. It also creates the C:X.TXT file and writes to there "0" or "1" also depending on the random counter. On next Word loading (AutoExec), if there is "1" in that file, the virus appends to the C:AUTOEXEC.BAT file the commands that formats the hard drive:
format c:/u/V:MARK>nul

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Prolin (a.k.a. Creative)

Description I-Worm.Prolin (a.k.a. Creative)

This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 37Kb in length, and written in VisualBasic. The worm uses a standard MW97_Melissa-like way of spreading: it opens the MS Outlook address book, obtains addresses from there, and sends its copies to these addresses. The message reads as follows:
Subject: A great Shockwave flash movie
Message text:
Check out this new flash movie that I downloaded just now all It's Great
Bye
Attach name: creative.exe

The worm then sends a "notification" message to its author and informs him about the next infected computer:
To: z14xym432@yahoo.com
Subject: Job complete
Message text: Got yet another idiot

The worm also creates its copies on the C: disk with the following names:
C:creative.exe
C:WINDOWSStart MenuProgramsStartUpcreative.exe
The second copy is placed in the auto-run directory so it will be activated upon each Windows restart.
The worm has a dangerous payload. It scans all disk drives, obtains ZIP, MP3, and JPG files, and renames them to C: drive with the following name:
C:\%victimfile%change atleast now to LINUX
for example, BGAMEX.JPG and DATA.ZIP are moved to:
C:BGAMEX.JPGchange atleast now to LINUX
C:DATA.ZIPchange atleast now to LINUX
The worm also creates the text file "c:messageforu.txt", writes the text there and adds list of removed files, such as the following:
Hi, guess you have got the message. I have kept a list of files that I
have infected under this. If you are smart enough just reverse back the
process. i could have done far better damage, i could have even
completely wiped your harddisk. Remember this is a warning & get it sound
and clear... - The Penguin
C:WINDOWSSYSTEMOOBEIMAGEXBGAMEX.JPG
C:BACKUPDATA.ZIP

I-Worm.Puron

Description I-Worm.Puron

This is a virus-worm that spreads via infected e-mails, and infects Windows EXE files on computers. The worm's routines have bugs, and in some cases, halt the computer and/or corrupt files while infecting them.
The worm code has the "copyright" text strings:
(c)Vecna
Vecna is a punk rocker nowall
Infected File Run
The worm can enter a computer via infected e-mails from the local network or from any other infected file that is executed.
When the worm starts, it extracts from an infected file its "main" code (that is "pure" virus code - Win32 PE EXE file 9.5 Kb of size), saves it to the Windows TEMP directory with a randomly selected name (for example, LNBAMKON.EXE, MMCAAHAN.EXE) and executes that file.
When the virus' "main" code gains control, it moves its file to the Windows directory that is referenced in the Registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
Common Startup = %startup%
The %startup% directory name depends in Windows version, for example:
Documents and SettingsAll UsersStart MenuProgramsStartup
%WindowsDir%All UsersStart MenuProgramsStartup
The worm moves itself to that %startup% directory with a random name that has eight randomly selected digits and an .EXE extension, for example:
00544102.EXE
17060133.EXE
37154273.EXE
The worm then executes that copy in the "Startup" directory, and deletes the first copy in the Windows TEMP directory, for example:
C:VIRUS.EXE - infected file is run
C:WINDOWSTEMPMMCAAHAN.EXE - 1st copy is created and run
C:WINDOWSAll UsersStart MenuProgramsStartup0544102.EXE - this is 2nd copy, it is created here and executed. The 1st copy is deleted then.
Because of a bug, in some cases, the worm crashes in the middle of this process, and the 1st copy is left in the TEMP directory.
When this "file moving" process is complete, the worm installs a "stealth" hook, and runs the infection and e-mail spreading routines.
Infection
The infection routine when gains control, searches for a .EXE and .SCR Windows executable file on all local and network drives, and infects them. While infecting, it obtains a block from the file middle, compresses it, and stores the compressed data and worm code in the file so that the file length does not increase.
The worm also uses a polymorphic mutation engine to make the detection and disinfection process more complex.
E-mail spreading
To spread itself, the worm connects to a SMTP mail server, and sends infected messages to e-mail addresses. Both the SMTP server name and e-mail addresses, the worm obtains from WAB data files (Windows Address Book).
The infected messages are of HTML format and have fields:
From: "Mondo bizarro" [mourning@obituary.org]
Subject: Joey is dead, man... :-(
Text: A tribute to Joey Ramone (1951-2001)
Attach: ramones.mp3.exe
The worm uses one of the security vulnerabilities (Vulnerability identifier: CAN-2001-0154) that were found in MS Windows in 2001. The result of this breach is the possibility of spawning an attached EXE file without a user's action. When an infected e-mail is opened for reading or preview, the worm's EXE file is automatically run.
Microsoft already has released a patch that eliminates this vulnerability. Additional information may be found here: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Stealth
The worm hooks FindFile and FindProcess Windows system calls (FindFirstFileA, FindNextFileA, Process32First, Process32Next). The worm processes these calls so that its copy in the "startup" directory (see above) is not reported. As a result, the worm file is not visible in files and processes lists.

Home