Virus Database

Macro.Word.Satanic

Description Macro.Word.Satanic

It is an encrypted virus. It contains five macros: AutoOpen, AutoNew, AutoExec, AutoExit, AutoClose, and infects the system and documents on creating or closing a document, as well as on AutoExec and AutoExit calls.
On MS Word startup the virus deletes several menu items (macros edition items). On AutoExit on October 1st the virus formats the hard drive, it calls DOS COMMAND.COM to perform the command:
echo y|Format c: /u

On creating new document on September 30, the virus displays the message box:
Nightmare Joker :-)
You're infected with Satanic

On AutoOpen the virus creates the script file C:FUN.SCR containing hexadecimal dump of "Claudia" DOS virus. Next it creates and executes the batch file C:FUN.BAT:
@echo off
debug < Fun.scr > nul
@echo off
nc.com
@echo off
del Fun.scr

Then the virus creates profile section (WIN.INI file) and checks it on next dropping the DOS virus:
[Control]
Installed=YES

The virus also contains remarked text:
Greetings to Dark Night! Thats good. :-)

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sonic

Description I-Worm.Sonic

This is a multi-component Internet-worm infecting Win32 machines and spreading in e-mail messages as an attached EXE file. The worm has several components, and is able to "upgrade" itself from an Internet Web site.
There are two principal worm components: Loader and Main component.
The Loader is a Windows EXE file about 25K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches about 70K in size). When the loader is activated on a computer (being run from e-mail attach), it registers itself as a hidden process (service), copies itself to the Windows system directory with the name GDI32.EXE, and registers in the auto-run system registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
GDI = WinSystemGDI32.EXE
where "WinSystem" is the Windows system directory name. As a result, the worm Loader then is executed upon each Windows startup. Note that there are standard Windows components in this directory: GDI.EXE and GDI32.DLL. The worm uses the GDI32.EXE name to disguise itself in a standard Windows environment.
To hide its activity, the worm then displays the fake error message:
FileName n' est pas une application Win32 valide.
where FileName is the actual file name the worm was started from.
The worm then activates the main procedure that obtains and executes the Main component. It enters the http://www.geocities.com/olivier1548/ Web page and obtains several files from there:
LASTVERSION.TXT - a text file with the number of the latest worm version available there. If there is no new version, the worm exits.
nn.ZIP - latest version of worm Main component, "nn" is defined in LASTVERSION.TXT.
GATEWAY.ZIP - latest version of worm Loader component.
The nn.ZIP and GATEWAY.ZIP files are not actually archives, but an encrypted Windows EXE file. The worm Loader decrypts them, copies to the Windows directory and spawns. As a result, the Main component is activated on the computer.
The Main worm component is the Windows EXE file about 40K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches 120K in size). It is installed to the Windows directory with the GDI32A.EXE name and is registered in the system registry in a similar way as described above for the virus loader. The main components then, depending on some conditions, open the Windows Address Book, obtain Inet addresses from there and send infected e-mail messages. In the known worm version, these messages have:
Subject: Choose your poison
Attached file name: girls.exe
The Main worm component also has Backdoor abilities to watch at infected computer and run its resources from remote host machine.

I-Worm.Spam.Brief

Description I-Worm.Spam.Brief
Spam.Brief is a worm virus spreading via the Internet as an attachment to infected emails. It is written in Visual Basic Script (VBS).
To send out messages the virus uses MS Outlook and sends messages to all addresses found in a victim machine's Outlook address book. The messages sent by the worm have the following subject:
here comes the subject
Message body text:
here comes the body
Attachment name:
virus.bat
Spreading
The virus spreads only when the file virus.bat appears in the root directory on drive C:. Thus the enclosed file will not work if the operating system tries to process it as a BAT-file.
Other versions
The virus is written in Visual Basic Script (VBS). To send out messages the virus uses MS Outlook to send infected messages to all addresses found in the Outlook address book. These messages sent by the trojan have the following subject:
Nice couple
Message body text:
They want to meet you. http://briefcase.yahoo.com/youngwifedawn
The message itself does not contain an attached copy of the trojan.

Home