Virus Database

PHP.Neworld

Description PHP.Neworld

This is script virus written in PHP scripting language. It uses the same infection technology as first known PHP virus PHP.Pirus: it appends to files an "include" instruction that refers to main virus code.
The virus infects .PHP, .HTML, .HTM, .HTT files in the C:Windows directory.
The virus contains the texts:
Neworld.PHP
Welcome To The New World Of PHP Programming
neworld.php
Neworld.PHP Virus - Made By Xmorfic, www.shadowvx.com/bcvg, Black Cat Virii Group.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Dilber

Description I-Worm.Dilber

This is an Internet worm related to the "I-Worm.Silver" worm and written by the same person. As well as "Silver," it is a Windows executable written in Delphi; and it accesses the Internet by using a VBS file helper and spreads to the local network.
Installation
When the worm gains control, it installs itself into the system. To do this, it copies itself to the Windows directory with the name SETUP_.EXE, and registers the first file in three auto-run keys in the system registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
All these fields contain the instruction:
"Unchained Infection" = WinDirsetup_.exe
where "WinDir" is the name of Windows directory.
The worm also registers that file in the auto-run section in WIN.INI file:
[windows]

all

run=WinDirsetup_exe

...


In case the worm fails to install a SETUP_.EXE file into the Windows directory, it copies itself there with the DILBERTDANCE.JPG.EXE name.
The worm then stays in Windows as a background application (under Windows 95/98) or as a service (under WinNT), and runs its spreading routines. Actually, there are two worm routine active in the background. One of them is activated once every 40 minutes, and the second one once every hour. The first routine sends the infected messages by using the VBS file helper, as well as drops and spawns five more viruses (see below). The second one infects the local network.
Sending E-mails
To send an infected message, the worm uses a MS Outlook and VBS helper file SENDMAIL.VBS that is a script program in VisualBasicScript language. This script obtains all messages from the Inbox and "replies" to the first 20 of them with the following message:
Text:
Hi "sendername"
Received your mail, and will send you a reply ASAP
Until then, check out this funny Dilbert Dance (attached)
Attached file name: dilbertdance.jpg.exe
where "sendername" is the name of the replying message sender.
The worm then marks "answered" messages (affected messages) with a TAB char at the end of the message subject, and then does not answer the messages that have already affected. So, the worm prevents duplicate replies to the same messages.
The worm also stores all affected addresses in the WINDOWS.EXE file in the Windows directory, and does not send infected messages to the same addresses twice.
The worm also does not send infected messages in the case when the victim address contains the sub-strings: .mil, .gov, admin, master, abuse
Spreading to Local Network
To spread to a local network, the worm enumerates network resources (mapped drives), looks for those of them that are shared for reading/writing, and looks for WINDOWS and WINNT directories there. In the case that one of these directories exists, the work copies itself there with the same SETUP_.EXE name, and registers that file there in the auto-run section in WIN.INI file or/and in system registry.
As a result, if on the network there are computers that have a shared Windows drive for reading/writing, the worm installs itself there and will be run on that computer(s) upon restart.
Because of a minor bug in the worm's code, it is unable to run its spreading routing both via e-mail and LAN.
Payload
The worm also keeps images of five viruses in its body in encoded form. Depending on the system date, the worm extracts, drops, and spawns these viruses:
When |Virus name |File name (dropped by worm)
----------------+---------------+---------------------------
on 7 of month: |Win32.Bolzano |BOLZANO.EXE
on 15 of month: |Win95.CIH |CIH_15.EXE
on 17 of month: |VBS.FreeLink |LINKS.VBS
on 22 of month: |Win95.SK |WINSK.COM
on 31 of month: |Wni32.AOC |BEE_AOC.EXE
----------------+---------------+---------------------------

I-Worm.Doggy

Description I-Worm.Doggy
Doggy is a worm virus spreading via the Internet as an attachment to infected emails. The virus is written in Visual Basic Script (VBS).
The 'Doggy' virus creates its copy with the file 'virus.vbs' in the root directory on the C: drive.
To send out messages the virus uses MS Outlook and sends messages to all addresses found in a victim machine's Outlook address book. The messages sent by this worm have subject and body text in Chinese and contain the attachment file:
virus.vbs

Home