Virus Database

AVCS.270.a

Description AVCS.270.a

This is a harmless, non-memory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file. The virus does not manifest itself, and it contains the text string:
Demovir for LamerZ [AVCS]

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Anset.a

Description I-Worm.Anset.a

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 462Kb of length (or about 186Kb in UPX packed form), written in Delphi.
The message has followed fields:
Subject: ANTS Version 3.0
Message body:
Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen. Attached you will find the brand new Version 3.0 of ANTS, the unique freeware trojan scanner. To install ANTS simply run the attached setup file.
Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de
Attached filename: ants3set.exe
The e-mail and Web-site mentioned in the message are fake and the author of the ANTS anti-Trojan scanner (Andreas Haak) is not responsible for this mass mailing

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
While installing the worm copies itself to Windows directory with random generated name, for example:
zfcy.exe
BM.exe
GG.exe
hlutl.exe
and registers this file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce ""="C:Windows.exe"
To proliferate the worm obtains victim email addresses from MS Outlook address book, then looks for following files on C: drive:
*.php *.htm *.shtm *.cgi *.pl
and extracts more email addresses from there, if there are any. Then the worm copies its EXE file with C:ANTS3SET.EXE name, attaches it email message and sends to victim addresses by using direct connection to SMTP server.
The worm has some mistakes in its spreading routine and in some cases it cannot spread.

I-Worm.Apost (AKA "Readme")

Description I-Worm.Apost (AKA "Readme")

This is a virus-worm that spreads via the Internet as an attachment to infected e-mails. The worm itself is a Windows PE EXE file about 25Kb in length and written in Visual Basic Script.
The infected messages contain the following:
Subject: As per your request!
Attach: README.EXE
Body: Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.

The worm activates from infected e-mail only in the case when a user clicks on the attached file. The worm then installs itself to the system, runs the spreading routine, and displays two fake messages:


While installing, the worm copies itself to the Windows directory with the README.EXE name and registers that file in the system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun macrosoft = README.EXE
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
The worm also copies itself to the root directory of all local fixed and remote (network) drives with the same README.EXE name.

Home