Virus Database

Prime.580

Description Prime.580

It is a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the beginning of the file. While infecting it encrypts and saves the original file beginning to the end of the file. This virus disables the IRQ signals, it can halt the computer. On 1st of any month it displays:
Prime Evil! (C) Spellbound, Line Noise 1992.
Coded in Stockholm, Sweden.
Please spell my name right!

and 'shifts' the screen, if the monitor is CGA or EGA.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mari

Description I-Worm.Mari

This is an Internet worm that spreading via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. To spread, the worm connects to MS Outlook, obtains the e-mail addresses from the address book, then sends messages to these addresses. The infected messages contain the following:
Subject: Hi!
Body: check this out!!!
Attach: system32.exe
The worm also installs itself to the system. It copies itself to Windows and to WinNT directory with SYSTEM32.EXE name. The worm copies itself to the directory on the current drive, and fails to spread further if it is run not on the C: drive (in the instance when the temporary directory where the worm copy is saved from an infected message is not on the C: drive). The worm also fails to infect the system in case Windows is installed in a directory with another name.
The worm registers itself in the auto-run key in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SYSTEM32 = C:WindowsSYSTEM32.exe
or
SYSTEM32 = C:WinntSYSTEM32.exe
The 'a' version of the worm also modifies the WIN.INI file with auto-run keys under Win9x/ME:
[windows]
load="C:WINDOWSSYSTEM32.exe
open="C:WINDOWSSYSTEM32.exe"

[winnt]
load="C:WinntSYSTEM32.exe
open="C:WINDOWSSYSTEM32.exe"
The worm then stays in the Windows memory as a hidden (service) process and creates the "marijuana" icon in-tray:

Upon a mouse click on the icon, the worm displays the message:
IMPORTANT: PLEASE READ
I think i speak for every pot smoker in North America when i say: *Legalize Marijuana*allI mean if people with AIDS, Cancer and other deaises can use it then why cant the rest of us (pot smokers) use it?, I dont think that's very fair (Do you?). If it's legal to grow and use in places like: Australia (for personal use) then why not in North America? If doctors are useing it as a treatment for illness then it must not be *THAT* harmful (So why can't other people use it?). I really do think the federal goverment should consider legalization of marijuana. Well that's really all i have to say on the matter, but i do hope somebody, somewhere listens to what i have to say and does not just regard this as just another *virus* because it's more then that, it's a message, a message for freedom, the freedom to smoke up and have the chose to do so *WITHOUT* fear of punishment from the law and the goverment. Thank you for your time.
At 4:20 and 16:20, the worm displays the message box:

The worm also modifies the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersion
RegisteredOrganization = Stoner's Pot Palace.
RegisteredOwner = Im A Pot Head!

HKCUSoftwareMicrosoftInternet ExplorerMain
HKCUSoftwareMicrosoftInternet ExplorerMain
Start Page = http://my.marijuana.com
Window Title = Marijuana Explorer (LEGALIZE IT!!!)

I-Worm.Masana

Description I-Worm.Masana

I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 107Kb in size - ASPack compresses it, the decompressed size is about 138Kb, written in Delphi.
Infected messages contain the following:

Another variant is the same subject and body as above but in Russian.

The worm activates from infected email only when a user clicks on the attached file. The worm then installs itself into the system, runs its spreading routine and payload.
The worm has bugs in its code; as a result some of its routines don't work.
Installing
While installing the worm copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry (under Windows NT) or in the SYSTEM.INI (under Windows 9x) auto-run keys:
SYSTEM.INI
[boot]
shell=Explorer.exe msys32.exe -dontrunold

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Run as Administrator

Under Windows NT systems the worm gains Admin privileges. To do this the worm uses a breach in Windows NT security (so-called DepPloit exploit).
The Masana worm creates two additional files on disk that manage the exploit:

ERunAsX.exe
ERunAsX.dll

The worm then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
Spreading
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:

looks for *.HTM* files and extracts email-like strings
by using Windows MAPI functions it reads all unread messages from the Inbox and answers them.
Each time Masana is run it also sends infected message to the masyana@nm.ru address. This message looks as follows:
Subject: Masyanya!
Body: gygygy!
Attach: Masyanya.exe

Payload
On Mondays the worm starts a DoS (Denial of Service) attack on kavkaz.org.
Other
This worm also:

disables the MS Outlook Express 5.0 MAPISendMail warning.
adds to the system the user named masyanechkaa with Admin privileges (under Windows NT) I-Worm.Masana also contains the text string:

I-Worm.Masyanya v1.0 8) Just a hello-world wormall
The worm also creates an additional registry key that indicates the system is already infected:

HKCUEnvironmentID = 1

Home