Virus Database

Macro.Word97.Jim.b

Description Macro.Word97.Jim.b

Upon document closing, the virus checks running applications and if one of the following applications is found: Outlook, Internet Explorer or ICQ, the virus collects information about a computer and tries to send it to one of the FTP servers on the Internet.
The collected information includes:
First found .PWL file on drive C:
User name
Time document infected
Application
Country code
Free disk space
Generation of virus
Processor type
Operating system
The virus also searches for a Pegasus Mail application, and if it find one, it creates a message with an attached infected document.
If the MIRC client is installed on a computer, the virus drops a script that instructs MIRC to send an infected document to every computer joined to the same IRC channel as the infected computer.
The virus has a payload procedure that is triggered on second day of the month. This procedure inserts a text into the active document:
[Mr Jim/SeptiC/TI] - Do you have what it takes to become an international
bussiness man!?
[Mr Jim]/SeptiC/TI '99

Check other viruses! Be aware! Use Antiviral Software

DDoS.Win32.Boxed.a

Description DDoS.Win32.Boxed.a

This is a DDoS (Distributed Denial of Service) Trojan. It conducts a SYN Flood attack on a number of servers in the bootcom.com doman. It works under Windows NT.
When launched, it creates a service named Secure transactions provider, which covertly starts each time the system boots up.
The service launches five threads, each of which sends TCP packets to one of the servers under attack at high frequency, with SYN flags set. This will cause the network to slow noticeably.

DDoS.Win32.Kozog

Description DDoS.Win32.Kozog

This is a Win32 DDoS (Distributed Denial of Service attack) Trojan that was distributed by a hacker (or hackers group) in November 2000. The Trojan was sent as an e-mail message with an attached file.
The message text and header looks as follows:
--------------------------------------------------------
From: World Travel Agency Ltd. [office4@worldtravel.com]
Sent: November 21, 2000 5:31 PM]
To: All tourists and vacationist]
Subject: Celebrate the New Millenium!]

World Travel Agency Ltd.
359 BTC Drive
P.O. Box 134108
Seattle, WA 98108-23
USA

Dear Sir/Madam

Celebrate the New Millenium! Discover the Paradise!

We offer the most attractive package for the New Millenium celebrations you have ever seen.
Pure nature, modern architecture and high technologies are fused to create the perfect resort.
Reasonable prises, correctness, high quality services.
Click on the zip-file below to see our offer!
Make your neighbours envy!

Best Regards,
--------------------------------------------------------
The attached file intends to be displayed as a ZIP archive, but it is a Windows EXE file with the following name:
"OFFER2001.ZIP [many spaces] .EXE"
This is Trojan "installer" that will affect a computer if it is run. Because of a "spaces" trick, it will be displayed as a .ZIP file in many cases, which could deceive a user to open it.
Installation
When the EXE file (Trojan installer) is run, it extracts from itself two more executable files and copies them to the Windows system director with the following names:
MRE.DLL
SOUNDV.EXE
Under Win9x and WinNT, these files are then registered in the auto-run sections in different ways: under WinNT, the Trojan registers a SOUNDV.EXE file in the system registry:
SOFTWAREMicrosoftWindowsCurrentVersionRun soundv.exe
Under Win9x, the DLL file is registered in the SYSTEM.INI file in the following[boot] section:
drivers=mre.dll
The Trojan then displays the following fake error message:
Error
A requred DLL does not exist.

(the grammar mistake is left as it is in the Trojan code).
The SOUNDV.EXE is the DoS Trojan itself. The MRE.DLL is a small program that just executes the SOUNDV.EXE upon each running. As a result, under both Win9x and WinNT, the SOUNDV.EXE component will be activated.
DoS Attack
When this file is run (upon the next Windows restart), it will stay active as a hidden application (service), then it enables the auto-dial option in the Internet settings, then performs a DoS attack on the server "kozirog.netissat.net".

Home