Virus Database

Macro.Word.TZ

Description Macro.Word.TZ

This Word macro virus contains 5 macros: AutoClose, AutoExec, AutoNew, AutoOpen, TZ.
It infects the global macros area on opening an infected document (AutoOpen). Documents get infection on opening, closing and creation (AutoOpen, AutoClose, AutoNew).
The virus detects itself by empty macros TZ. The virus does not manifest itself in any way.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Chet.a

Description I-Worm.Chet.a

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.
The infected messages have following fields:
From: main@world.com
To: You
Subject: All people!!
Attach: 11september.exe
Body:

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ICQ1 = %SystemDir%synchost1.exe
The original file is then deleted.
Spreading
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.
To send infected messages the worm uses direct connection to SMTP server "mail.ru".
Other
The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:
connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru
They have following subjects:
message1: Otchet from user
message2: Otchet2 from user
The message body contains victim emails list and worm's EXE file full name.

I-Worm.Choke

Description I-Worm.Choke

This is the worm virus spreading via the Internet by using MSN Messenger (instant messaging program). The worm itself is Windows EXE file about 40Kb of length written in VisualBasic.
When infected file is run, the worm copies itself to C:CHOKE.EXE, then registers this file in registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Choke = C:choke.exe -blahhh
then dislays two fake messages:
Choke
This program needs Flash 6.5 to run!

Run time error
Cannot run program!, Quiting
The worm also creates the C:ABOUT.TXT file and writes following text to there:
Choke , Copyright î 1886 all A MAD CHRISTIAN
---------------------------------------
Go talk swearwords about God
You all will die, stupid humans.
You fools didn't see what you have done
Bye slut, go talk shit about me.
(Call me a 'psychophatt', but I respect the Creator of life...)
' Consider your earth '
The worm then gets to spreading routine. That routine waits for incoming message and replies with the text:
"President bush shooter is game that allows you to shoot Bush balzz" hahaha
and send to victim a request to receive the worm EXE file. The EXE file name is randomly selected from three variants:
choke.exe
ShootPresidentBUSH.exe
%username%.exe
where %username% is the name of victim visible in MSN network.
In case the incoming message starts with "hey!" the worm reports with information of victims that were sent by infected messages:
PPL: %n
I got %n son of a bitches.
%username%, status = %n
Send to %n ppl
%username% (request sent)
%username% (accepted)
where %username% is the name of victim visible in MSN network, and %n are different numbers.
The worm also creates the "dalist.txt" file and writes to there the list of already infected users (addresses to where the worm was sent already). The worm checks that list and does not send its copies twice to the same address.
The worm also seems to send messages to %random%@pager.icq.com addresses with the text:
From: George.W.Bush@whitehouse.gov
Text: Micro$oft invites you to use MSN Messenger!

Home