Virus Database

Macro.Word97.Jota

Description Macro.Word97.Jota

This macro-virus infects Microsoft Word documents. Upon each document opening, if a document is already infected, the virus starts an internal counter. When the counter exceeds 100, the virus replaces the first 100 commas in documents with a word in Russian, and also deletes 100 randomly-selected words from documents.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Android

Description I-Worm.Android

This is a virus-worm that spreads via Internet channels being attached to e-mail messages as the ULTRA.EXE Windows executable file. This worm is related to I-Worm_Suppl.
The worm has a very dangerous payload: within one week following computer infection, the worm erases the files with the following extensions on local and remote drives: ICO, DOC, TXT, HTM, JPG, GIF, ZIP, RAR. The method of erasing is the same used by the I-Worm_ZippedFiles worm, and damaged files are not recoverable.
On the 5th of any month, the worm drops an ANDROID.BMP file with the "ANDROID" text in it, and registers it in the system as wallpaper.
Installing
When an ULTRA.EXE file is activated by a user, the virus gains contol and installs itself into the system; copies itself to the Windows system directory with the ANDROID.DLL name; then drops its DLL component (that is stored in the EXE file) to the same directory with the ULTRA.DLL name.
The worm then adds renaming instructions to the WININIT.INI file. These instructions rename WSOCK32.DLL with the WSOCK33.DLL name, and replace the WSOCK32.DLL with the worm's ULTRA.DLL library. This trick causes Windows to replace its WSOCK32.DLL with a worm copy upon the next Windows restart.
Upon initializing its DLLs, Windows loads an infected (worm's) DLL instead of the original ones, and as a result, the worm gains access to the network functions.
Spreading
Upon the next Windows restart, the infected WSOCK32.DLL is loaded into the system memory and gains control. The worm at this moment gains access and intercepts all necessary library functions that the original WSOCK32 library does. For all except two, the worm just forwards requests to original the functions, and for this purpose, the worm also loads the WSOCK33.DLL (original library) into the Windows memory.
The two functions are processed by the virus: their names are "send" and "connect." By using these functions, the worm intercepts sent e-mails and attaches its copy to these e-mails as the ULTRA.EXE file.

I-Worm.Anset.a

Description I-Worm.Anset.a

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 462Kb of length (or about 186Kb in UPX packed form), written in Delphi.
The message has followed fields:
Subject: ANTS Version 3.0
Message body:
Hi, Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei ausführen. Attached you will find the brand new Version 3.0 of ANTS, the unique freeware trojan scanner. To install ANTS simply run the attached setup file.
Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de
Attached filename: ants3set.exe
The e-mail and Web-site mentioned in the message are fake and the author of the ANTS anti-Trojan scanner (Andreas Haak) is not responsible for this mass mailing

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
While installing the worm copies itself to Windows directory with random generated name, for example:
zfcy.exe
BM.exe
GG.exe
hlutl.exe
and registers this file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce ""="C:Windows.exe"
To proliferate the worm obtains victim email addresses from MS Outlook address book, then looks for following files on C: drive:
*.php *.htm *.shtm *.cgi *.pl
and extracts more email addresses from there, if there are any. Then the worm copies its EXE file with C:ANTS3SET.EXE name, attaches it email message and sends to victim addresses by using direct connection to SMTP server.
The worm has some mistakes in its spreading routine and in some cases it cannot spread.

Home