Virus Database

Metallica.1103

Description Metallica.1103

This is a harmless memory resident parasitic virus. It hooks INT 21h and infects COM and EXE files. On April, 22th (Vladimir Lenin birthday) it jokes with the screen - it writes random data to the video ports, and the screen starts to twitch and grimace. Under the Windows the screen do not twitch but the vertical and horizontal borders of active window are changed every second.
This infector contains the texts:
Metallica Ver 2.2 AIDSCOMMAND

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Peach

Description I-Worm.Peach

This internet worm spreads via e-mail messages and sends itself from infected PCs when it is activated. It uses Microsoft Outlook mailing system for sending itself to recipients, whose e-mails are stored in Outlook Address Book.
The worm is written in Visual Basic Script (VBS) programming language. It works only under operating systems with Windows Scripting Host installed (WSH is installed by default in Windows 98 and Windows 2000).
The worm uses a PDF file as a host. The virus code is included in that file as an embedded object, and the worm can be activated only manually.
When a PDF file is opened by the Adobe Acrobat program, (the worm doesn't work in Acrobat Reader), a user is offered to play a simple game, which is stored in an embedded object.
After the embedded object is activated, the Adobe Acrobat (http://www.adobe.com/acrobat) program extracts VBS code, writes it to a tempopary folder and launches it.
The virus code creates a JPG file on a disk and shows it using Internet Explorer.
Then, the worm tries to find its host PDF file on the disk, and if it finds the file, sends it to recipients specified in Outlook Address Book.
For sending itself, the worm randomly chooses an attachment name, message subject and body.
The message subject can contain the following strings:
"You have one minute to find the peach"
"Find the peach"
"Find"
"Peach"
"Joke"
The subject can also contain the "FW:" prefix and an exclamation mark at the end of it.
The message body is assembled from the following sentences:
"Try finding the peach"
"Try this"
"Interesting search"
"I don't usually send this things, butall"
The attachment name may be the following:
"find.pdf"
"peach.pdf"
"find the peach.pdf"
"find_the_peach.pdf"
"joke.pdf"
"search.pdf"
The worm uses a very complex algorithm for sending itself, sometimes resulting in the worm not sending itself at all.

I-Worm.Pepex.a

Description I-Worm.Pepex.a
"Pepex" is a worm virus spreading via the Internet as an attachment to infected emails and also through the Kazaa network and IRC channels.
The worm itself is a Windows PE EXE file about 32KB in length (when compressed by UPX, the decompressed size is about 80KB). "Pepex" is written in Microsoft Visual C++.
Infected messages have the following message field attributes:
From: "Microsoft" < information@microsoft.com >
Reply-To: "Microsoft" < microsoft@microsoft.com >
Subject: Internet Explorer vulnerability patch
Body: You will find all you need in the attachment.
Attach: setup.exe

The worm activates from infected emails only when a user clicks on the attached file. 'Pepex' then installs itself to the system and runs its spreading routines.
Installing
While installing, the worm copies itself to the Windows system directory with the winsys???.exe name (where '???' is a random three-digit number) and registers this file in the system registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Windows task32 sys = %SystemDir%winsys???.exe

Above, %SystemDir% represents the Windows System directory path.
The worm then creates a ZIP archive with its "winsys???.exe" copy inside. The archive is created with the help of the WinZip32 utility (if it is installed). The archive name is "win32sys???.zip" (where '???' is the same random number). This archive is used later to spread through IRC channels.
The worm also creates a system registry key to mark already infected systems:
HKEY_LOCAL_MACHINESoftwareRedCell
infected = yes
The worm also looks for active processes that have "AV" or "av" letters in their names (anti-virus programs) and tries to terminate them.
Spreading: EMail

To send infected messages the worm uses a direct connection to an SMTP server (if it is registered), or to the "smtp.barrysworld.com" server. To get victim emails the worm scans files with the ".htm" extension in the "Temporary Internet Files" directory. While spreading the worm also creates a file named C:Msbootlog.sys to where its MIME encoded copy is written.
Spreading: IRC

The worm creates the SCRIPT.INI file in mIRC directory and writes a command to it. This command sends infected "win32sys???.zip" file (see above) to IRC users that join infected channel.
Spreading: Kazaa

The worm copies itself to Kazaa directory with a randomly selected name:
icq2002.exe
wincrack.exe mirc6.exe

Other
After installation the worm displays a fake error message:

Home