Virus Database

Macro.Word97.UScan

Description Macro.Word97.UScan

This macro-virus contains six macros in one module "Uscan": AutoOpen, AutoNew, FileOpen, UScan, intUAppVer, blnUScanSearch.
It infects the global macros area upon opening an infected document (AutoOpen), and infects other documents upon opening or creating (FileOpen, AutoNew). While infecting, the virus checks user initials and if they are "AF", the virus displays the following message:
This file contains the UScan macro. It is not harmful, but
may spread in a disconcerting manner.

The virus turns off the Word virus protection (the VirusProtection option).
The virus code contains the following comments:
///// /// Name: UScan
//// // Author: tgho
/// // Version: 1.11.3
// Last Edited: 19th February, 1998

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Merkur

Description I-Worm.Merkur

This is the worm virus spreading via the Internet being attached to infected emails, through P2P networks and IRC channels. The worm itself is a Windows PE EXE file about 45Kb of length written in Visual Basic.
The infected messages have following fields:
Subject: Update your Anti-virus Software

Attach is randomly selected from three variants:
AVupdate.exe
taskman.exe
uninstall.exe

Body:
Here is a patch for your AV software, it will cover all the latest out breaks of worms ect
(worms as in virus not earth worms! lol)

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to the system with following names:
c:WINDOWS askman.exe
c:AutoExec.exe
c:WindowsSystemAVupdate.exe
c:Program Filesuninstall.exe
c:WindowsNotepad.exe
c:windowsscreensaver.exe

The "AVUpdate.exe" is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AVupdate = c:WindowsSystemAVupdate.exe

All directory names are hardcoded in worm body, thus it fails to copy itself and infect the system in case there are not such directories as "C:Windows", e.t.c.
Spreading: Email
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: IRC
The worm creates new "c:mIRCscript.ini" and "c:mIRCProgram Filesscript.ini" files and writes IRC commands to there that send the message to anybody who joins infected channel:
Hi want a cool screen saver?

and then send the worm copy with the "screensaver.exe" name.

Spreading: P2P
To spread through P2P networks the worm affects following Kazaa, eDonkey and BearShare directories by copying its copies into there:
c:program fileskazaamy shared folderIPspoofer.exe
c:program filesearsharesharedIPspoofer.exe
c:program fileseDonkey2000incomingIPspoofer.exe
c:program fileskazaamy shared folderVirtual Sex Simulator.exe
c:program filesearsharesharedVirtual Sex Simulator.exe
c:program fileseDonkey2000incomingVirtual Sex Simulator.exe

Trojan Routine
The worm also has trojan routine, that deletes all files:
*.jpg, *.mpg, *.bmp, *.avi
in directories:
C:Program FilesKazaaMy Shared Folder c:program filesearshareshared c:program fileseDonkey2000incoming
To do that the worm drops trojan commands to c:pr0n.bat DOS batch file, executes it, and then deletes it.
Other
The worm displays message boxes:
on December 31st:
Win32.mercury@mm
allSaving the world before bed time...

on February 16th:

Win32.mercury@mm
...Win32.mercury Coded by Industry @ ANVXgroup...

on April 2nd:
Win32.mercury@mm
...Shout out to Every one @ Indovirus...

I-Worm.Mimail.a

Description I-Worm.Mimail.a
Mimail.a is an internet worm spreading via infected emails. The worm itself is a Windows PE EXE file about 12KB is size when compressed by UPX, the decompressed size is about 30KB.
Infected messages contain the following text:
From: admin@%fake email address%
where %fake email address% is different every time.
Subject: your account %rnd str%
where %rnd str% is different every time.
Body:
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
---
Attach: message.zip
The attached ZIP archive contains the "message.html" file. When opened this HTML file drops the FOO.EXE file (worm copy) into the "Downloaded Program Files" directory and runs it. To drop and execute this EXE file the worm exploits a vulnerability in Internet Explorer. This allows a Java script in the HTML file to get access to disk files without any prompts or warning messages.


Installation
During installation the worm copies itself to the Windows directory under the name "videodrv.exe" and registers this file in the system registry autorun key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
VideoDriver = %WinDir%videodrv.exe
The worm also creates the following files in the Windows directory:
exe.tmp - worm in HTML file
zip.tmp - worm's HTML file in ZIP archive (method "stored" - no compression).
eml.tmp - list of emails found on infected machine
To create ZIP archives the worm uses its own ZIP file format supporting routine.


Spreading
To send out infected messages the worm uses a built in SMTP engine.
To get victim email addresses the worm opens files in "Shell Folders" and "Program Files" and scans them for email-like text strings.
Other
The Mimail worm looks for the "e-gold" managing application (electronic currency, see http://www.e-gold.com), grabs information from the application form/window and stores this data in the c: mpe.tmp" file. This file is then sent to four email addresses that belong to the worm's author.

Home