Virus Database

Mws.788

Description Mws.788

It is a harmless memory resident parasitic virus. Being executed it copies itself into the video memory and hooks INT 10h, 21h. The INT 10h handler checks the functions that change the video mode. That changing can corrupt the virus body, so the virus removes itself from the memory on these calls. The INT 21h handler checks the Load and Execute command and infect the COM files to the end of the file. That virus calls several DOS functions via the INT 21h function 5D00h. It contains the encrypted text:
(C)MWSoft,1993 Rookie

Check other viruses! Be aware! Use Antiviral Software

I-Worm.NetSky.y

Description I-Worm.NetSky.y

This worm spreads via the Internet as a file attached to infected messages. It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in size.
Infected messages
The characteristics of infected messages vary according to domain:
Sender's address:
hukanmikloiuo@yahoo.com
Domain ".tc":
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pif
Domain ".se":
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pif
Domain ".fi":
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pif
Domain ".pl":
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pif
Domain ".no":
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pif
Domain ".pt":
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pif
Domain ".it":
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pif
Domain ".fr":
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pif
Domain ".de":
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pif
Other Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. The worm will then install itself on the system and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to the Windows folder and registers this file in the system registry autorun key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunFirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and then sends copies of itself to these addresses. It creates a file in the Windows directory called fuck_you_bagle.txt, and writes its body to this file. This file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th April on the following servers:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

I-Worm.Nevezed (aka Never)

Description I-Worm.Nevezed (aka Never)

Nevezed is a worm virus spreading via Microsoft Outlook. The worm itself is a Java Script file about 4KB in size and written in Java.
Installation
During installation the worm copies itself to the Windows system StartUp directory under the name "StartUp.js" and the Windows System directory under the name "CmdWsh32.js". It them registers this later file in the system registry as a java-class file. The worm also creates a backup copy of itself in the root directory of other drives.
Spreading: Email
To send infected messages the worm uses MS Outlook to send messages to all the addresses found in a victim's Outlook address book.
Infected messages sent by the worm have various subject titles. Possible subject titles could be:
Hello name
Hey name
Fwd: Hey You!
Fwd: Check this!
Fwd: Just Look
Fwd: Take a look!
Fwd: Loop at this!
Fwd: Check this out!
Fwd: It's Free!
Fwd: Look!
Fwd: Free Mp3s!
Fwd: Here you go!
Fwd: Have a look!
Look name!
Fwd: Read This!

Message body text is as follows:
Hello!
Check out this great list of mp3 sites that I included in the attachments! I can get any Mp3 file that I want from these sites, and its free! And please don't be greedy! forward this email to all the people that you consider friends, and Let them benefit from these Mp3 sites aswell! Enjoy !
Infected messages contain one of following attachments:
Free_Mp3s.js
Fwd_Mp3s.js
Mp3_Sites.js
Mp3_Web.js
Mp3_List.js
Mp3_Pages.js
Web_Mp3s.js
Mp3-Sites.js
Fwd-Mp3s.js
Mp3-Fwd.js
Fwd-Sites.js

Home