Peru
Description Peru
It is a dangerous boot virus. It hooks INT 13h and writes itself to the boot sector of hard drive and floppy disks. It infects the hard drive while loading from infected floppy drive and affects floppy disks that are accessed. Because of an error while infecting floppy disks the virus writes original boot sector to one of the FAR sectors. That may corrupt data on disk.
After five infections the virus displays the message:
No Existe Otra Mujer Como JOHANA
The virus also contains the text:
Peru
Check other viruses! Be aware! Use Antiviral Software
IRC-Worm.Sonne
Description IRC-Worm.Sonne
This is an IRC worm that spreads through IRC channels using mIRC client for spreading. The worm appears on a computer as the "Sonnet.vbe" VBE program. When this file is executed by a user, the worm installs itself into the Windows directory and overwrites the mIRC SYSTEM.INI script file with new instructions.
The commands that are written to the SYSTEM.INI mIRC script intercept several events:
- when a new user enters the infected channel, (s)he is sent by the worm copy (the C:WINDOWSSONNET.VBE file).
IRC-Worm.Spth
Description IRC-Worm.Spth
This is a polymorpic worm is written in Batch script with the extensions Windows 2000/XP (cmd.exe). The worm contains two parts: polymorphic generator and main body. The polymorphic generator reconstruces the main body on each start of batch file. The worm creates its droppers with the files: SPTH.BAT and C:MIRCSATURN.BAT. It also creates the script file C:MIRCSCRIPT.INI. The script sends worm dropper (SATURN.BAT) to each user who joins the infected channel. The worm also rewrites batch files into WINDOWS directory. The worm contains the comments:
----------- BatXP.Saturn ********** by Second Part To Hell -----------
|
I think, you are looking at the code and think: "What the hell is this?"|
The answer is: A Windows XP Batch polymorph virus :D |
WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS |
You're able to make the really nice things with CMD which you wasn't |
able to do it with COMMAND.COM. |
|
Information about the virus: |
Virusnameall...................: BatXP.Saturn |
Virusauthor....................: Second Part To Hell |
Size...........................: The poly-engine has 1.301 Bytes |
The whole virus has 4.158 Bytes |
Encrypted......................: Yes, but only the virus part. |
I'll crypt also the poly engine in |
next versions. |
Polymorphic....................: Yes |
|
written from 20.11.2002 to 22.11.2002 |
in Austria |
----------------------------------------------------------------------
Modifications
IRC-Worm.Spth.b
The worm's droppers are: SPISSTOM.BAT, C:PROGRA~1MIRCMIRC.BAT
The script file name is: C:PROGRA~1MIRCSCRIPT.INI
IRC-Worm.Spth.c
The worm's droppers are: SPISSTOM.BAT, C:MIRCINSTALL.BAT
The script file name is: C:MIRCSCRIPT.INI
IRC-Worm.Spth.d
The worm's droppers are: DRRA.BAT, C:PROGRA~1MIRCSATURN.BAT
The script file name is: C:PROGRA~1MIRCSCRIPT.INI
|