Virus Database

Macro.Word97.Persilman

Description Macro.Word97.Persilman

This virus contains eight modules: AutoExec, AutoOpen, FileSaveAs, FilePrint, FileOpen, FilePrintDefault, PersilMan, ClearKepek.
It infects the system on opening an infected file. It infects documents on saving them with a new name. Starting from May, starting from 21st of month if system time is not less than 55 seconds, the virus appends the strings to document, if it is printed:
PersilMan will take his revenge
you will be cleaned up by PersilMan, SOON

Check other viruses! Be aware! Use Antiviral Software

I-Worm.XCod

Description I-Worm.XCod

This is Email/IRC worm. The worm body itself is Win32 PE EXE file written in VisualBasic. The worm has too many bugs to be described well.
It copies itself to:
C:windowsinstall_.exe
C:windowssystemsysboot_.exe
and registers itself in Registry keys:
HKEY_CLASSES_ROOTexefileshellopencommand
"C:windowssystemsystray_.exe" %1 %*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SystemTray = C:Windowssystemsystray_.exe
SystemTray = C:Windowssystemsysboot_.exe
(the last line overlaps first one, so first line disappear in system registry).
HKEY_LOCAL_MACHINESoftwareWinsysinfo
Program Name = X-Coderz
CurrentVersionNumber = X-Coderz.VBS.03.A
(it intends to write more lines to there, but fails).
The messages sent by Email (it also fails to do that) contain the INSTALL_.EXE attached file, the message text and subject are selected from variants:
Hey
Hey, How Are Things? I'm Writing This E-Mail To Let You Know Of An
Attachment Im Sending With The Next Mail You Will Probably Find. It Very
Useful. I did! See You Soon

Hey Its Me Again,Here You Go Its The Installation Program For An Adults
Only Explicit Screensaver (Pornographic)

Hey Its Me Again,Here You Go Its The Installation Program For An Outlook
Express Security Upgrade

Hey Its Me Again,Here You Go Its The Installation Program For A Microsoft
Explorer Patch V7.5 (Required For Many Sites)

Hey Its Me Again,Here You Go Its The Installation Program For A Cool Game
I Found On The Web, Try It!

Hey Its Me Again,Here You Go Its The Installation Program For An
Excellent MP3 Player With Plug-Ins LIMITED EDITION
To spread itslef throug IRC channels the worm affects the mIRC client in C:Mirc directory. The worm writes (successfully) the SCRIPT.INI file with commands that send to IRC channels the worm copy with "installx2.exe" name, and send to there the message too:
You gotta see this. Talk about hard core, jesus!! This is kinky at its
bestall you gotta see this, just look at it!!
The worm deletes Norton Anti-Virus data files: C:Program FilesNorton AntiVirus*.dat
On June 22 the worm intends to display (but fails) the message box:
X-Coderz VBS Virus 0.3
X-Coderz Have Taken Control
then:
X-Coderz???
Remove Virus From Your System?
and then:
X-Coderz
FUCK YOU!!!!!!

I-Worm.Yanker

Description I-Worm.Yanker
Yanker is a very dangerous multicomponent worm-virus that spreads through via the internet as an RAR archive attached to infected emails.
Infected emails contain:
Subject: Hi,my new webpage ;o)
E-mail body: Hi:
Here is my new webpage.Please check it,and give Me some Advice.
Attachment name: webpage.rar

The RAR archive contains the file webpage.htm and a subcatalogue named images where the main components of this virus are stored:
folder.htt (controls MS Explorer file and folder display settings - attributes: system/hidden)
main_59.exe (dropper file, written in Delphi, packed by UPX (57KB), attributes: system/hidden)
main_60.exe (PSW.PassDumper, packed with UPX (20k) - attributes: system/hidden)

The images folder also contains several harmless files in various formats, such as gif, css and more. These files are components of a webpage.
Installing,Spreading,Payload
After unarchieving the infected RAR file the yanker worm can gain control of a user's system in two ways: when the webpage.htm file is opened or when the images folder is viewed using MS Explorer.
However, in both cases the yanker worm utilizes the same CodeBaseExec exploit, attached to the end of the files to launch itself. The file (program) main_59.exe runs without victim users being able to notice anything.
The main_59.exe program ascertains the current ip address of the infected computer and stores it in a txt file (ip.txt). Then it extracts and launches the worm's main component yankee.vbs - a file 4KB in size and written using Visual Basic Script. Simultaneously, the worm checks the system registry for the follwing key string:

HKCUSOFTWAREyankee
yankee=1

If this string already exists, the worm ceases all activities.
The yankee.vbs script does the following:
Sends the ip.txt file with the infected computer's IP address and all passwords found in the system (using PassDumper) to the following e-mail address:

xdvirus@peoplemail.com.cn

Sends its "webpage.RAR" archive to all the addresses found in the MS Outlook address book.
Writes the following key string into the Windows System Registry:

HKCUSOFTWAREyankee
yankee=1

Deletes all accessible non-system folders on hard and removable drives.

Home