Virus Database

Macro.Word.Minimorp

Description Macro.Word.Minimorp

This is a quite short polymorphic Word macro virus. It contains only one macro AutoOpen and replicates on opening a document. The virus does not manifest itself in any way.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Cervivec

Description I-Worm.Cervivec

Cervivec is an Internet worm virus spreading via the Internet as an email attachment.
The worm itself is a Windows PE EXE file about 230Kb in size, written in Delphi. It is compressed by UPX - the decompressed size is about 670Kb.
The infected messages have Subject/Body content randomly selected from different variants in different languages:
Vtip
Cau posilam ti cerviky tak se na to podivej (virus to neni)
Vtip
Cau posielam ti cerviky tak sa na to pozri (virus to neni)
Witz
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)
blague
J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)
ÉÇ×?
?Á³??×, ' ?-Ð ?Â×Í ?Á³?R'Í- Ð É×ÇÚ? ?ÁR?? Ú?Á?Ð? (Î×R -? ?³ÁÇÂ)
Joke
Hi, I have some cool joke - worms so have a look at it (no virus)
Zart
Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)
Chiste
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)
The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself into the system, runs its spreading and 'effect' routines (colored "worms" eating the desktop).

While installing itself the worm copies itself to the Windows directory and to the SYSTEM32 subdirectory with the name "ntkrnl.exe". It then registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Loader = %WindowsDir%system32 tkrnl.exe -LOADDRIVERS=TRUE

I-Worm.Challenge

Description I-Worm.Challenge

This worm spreads using MS Outlook Express 5. It appends itself to every message sent from an infected computer. The worm does not attach itself to messages as regular worms do, but instead embeds its body into a message as a script program in Visual Basic Script language. When an infected message is opened on a victim's computer, this program doesn't appear on the screen, but instead gains control and infects the system.
To break through MS Outlook Express security, the worm takes advantage of a security vulnerability that allows script code in HTML-based e-mail message access to ActiveX controls that should not be available in this context. Microsoft has released a patch that eliminates this security vulnerability. See http://www.microsoft.com/technet/securThisy/bulletin/MS00-075.asp for more information. We strongly recommend a user install the patch available there, protecting him/her against many script worms that use this vulnerability.
The worm infects computer it two steps:
The first step is when an infected message is displayed, and an embedded script program gets control. This creates a TEMP.HTA file with the worm's copy in a Windows startup folder. (This worm is more accurate in finding a Windows startup folder. Its method works in all Windows versions, as distinct in I-Worm.KakWorm).
The second step, since TEMP.HTA file is placed into the Windows startup folder, is that Windows runs it upon startup. The script in this file is created in the Windows system folder file FOLDER.HTML with the same script as was in the infected message, and then registers this file as a default signature file for MS Outlook Express 5. From this moment, all messages sent from a computer contain a signature with the worm's body, i.e., infected.

Home