Virus Database

Manowar.592

Description Manowar.592

It's a dangerous memory resident encrypted parasitic virus. On execution it copies itself into the memory at the address 9000:0000 without altering of MCB list, it will halt computer. The virus hooks INT 21h and writes itself at the end of COM- and EXE-files are accessed. It contains the internal text strings:
MANOWAR
(C)PK

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Borzella

Description I-Worm.Borzella

I-Worm.Borzella is a worm virus spreading via the Internet in an infected file attached to e-mails.
The worm itself is a Windows PE EXE file about 50Kb in length and written in Microsoft Visual C++.
The infected messages have Subject/Body/Attachment names that are randomly selected from three variants each.
Infected messages contain:
Subject:
Storielle..
Leggete urgentemente questa e-mail!! (se avete tempo da perdere)
Divertimento assicurato..

Body:
Ciao, guarda l'allegatoall ti potrebbe interessare.
Ciao, devi assolutamente vedere il file che ti ho allegato.
Ciao, dai un'occhiata all'allegato e ti farai due risate ;-)

Attach:
bar.exe
pippo.exe
porkis.exe

Messages displayed by the Borzella virus:







On September 6 Borzella will put forth the following message:

The worm activates only when a user clicks on the attached file. Once this is done the worm then installs itself into the system, runs a spreading routine and delivers its payload.
Installing

While installing the worm copies itself into the Windows directory with the dllmgr.exe name and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Dll Manager = %WinDir%dllmgr.exe
The worm then displays the following messages:
Quiz Cosa dice un vettore ad un altro?
Risposta ...Scusa, hai un momento?...
Barzelletta
Sai chi e il fratello di Giorgio Armani?
Risposta
...Emporio!
Quiz
Ti trovi al volante della tua auto e circoli ad una velocitÁ costante.
Alla tua sinistra c'e un precipizio.
Alla tua destra un camion dei pompieri che viaggia esattamente alla tua stessa velocitÁ.
Davanti a te cavalca un maiale visibilmente piu grande della tua macchina.
Dietro di te ti segue un elicottero che vola raso terra.
Gli ultimi due, anch'essi alla tua stessa velocitÁ.
Che fai per fermarti?

Risposta
...scendi dalla giostra,imbecille!!!
Cavolata finale
Gesu ai discepoli: 'In veritÁ, in veritÁ vi dico: y=x^2-4x+7'.
I discepoli commentano un po' fra di loro, poi Pietro si avvicina mestamente a Gesu, dicendogli:

'Maestro, perdonaci, ma non comprendiamo il tuo insegnamento...'

On September 6th the worm also displays the message:

Accadde il 6 settembre
Attenzione signori!!!
Oggi non e' mica un giorno fesso come gli altri: spegnete il computer e uscite,godetevi la vita,abbracciate e baciate la persona a voi piu' cara.
Viva l'amore.
;-)

Spreading
To send infected messages the worm uses a direct connection to the SMTP server. To get victim email addresses the worm opens and scans the Windows Address Book (WAB).

I-Worm.Bridex.a

Description I-Worm.Bridex.a

Bridex (aka Brid) is an email worm virus spreading via the Internet in the form of an attachment to infected emails. The worm itself is a Windows PE EXE file about 115KB in length and is written in Visual Basic.
To run from infected messages the worm uses the IFRAME security breach.
The infected messages have an empty subject field.
The attached worm copy (file)is named README.EXE
The message body looks as follows:
Hello,
Product Name: < data >
Product Id: < data >
Product Key: < data >
Process List: < data >
Thank you.

where < data > represents personal data from the infected machine, for example:
Hello,
Product Name: Microsoft Windows 98
Product Id: 50392-668-0444778-23555
Process List: NoneNone
Thank you.

Some of lines above (except the first and last lines) may be absent in infected emails (this happens when the worm fails to read or determine necessary data).
Installing
While installing the worm copies itself to the Windows system directory under the name REGEDIT.EXE, and to the Windows Desktop directory under the name EXPLORER.EXE, and then registers itself as the first file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun regedit = %WinSystem% egedit.exe
While installing the worm also looks for Anti-Virus applications and tries to terminate them.
Spreading
To get victim email addresses the worm scans all *.HTM and *.DBX files for email-like strings (except @microsoft.com addresses). It proceeds to send itself to all acceptable addresses found.
To send infected messages the worm uses a direct connection to the default SMTP server.
While spreading the worm creates temporary files:
Help.eml - in Windows Desktop directory Brade0.tmp Brade1.tmp - both in Windows Temp directory
Payload
Depending on its "counters" the worm opens the Web sites:
http://www.hotmail.com
http://www.sex.com

The Bridex worm also drops a variant of the Funlove virus into the MSCONFIG.EXE file in the Windows System directory.

Home