Virus Database

Printerceptor

Description Printerceptor

It's a dangerous memory resident multipartite companion virus. It hooks INT 21h and on execution of .EXE-files it creates companion .COM-files. On selection of a new disk it overwrites boot sector of A: drive with trojan program and saves itself at the last sectors of A: drive. On loading from that drive the trojan programs scans disk sectors for EXE-files and overwrites them by this virus (code which is stored at the last disks sectors). Two months after infection this virus disables calls to printer (sets INT 17h to IRET instruction). This virus contains the internal text string:
Printerceptor

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Mawanella

Description I-Worm.Mawanella

This Internet worm spreads via e-mail messages using MS Outlook. The worm is written in Visual Basic Script language (VBS) and spreads as a "Mawanella.vbs" file attached to an e-mail message.
This is a typical Loveletter-like VBS worm; however, it is encrypted (encoded) to bypass heuristic scanners.
This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses that are kept in the MS Outlook contacts list.
It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Oulook versions is installed.
The infected message in the original worm version appears as follows:
Subject = "Mawanella"
Body = "Mawanella is one of the Sri Lanka's Muslim Village"
Attached file name = "Mawanella.vbs"

If a computer doesn't have MS Outlook installed, the worm simply displays a message:
Please Forward this to everyone
After spreading, the worm displays the following message:

The worm doesn't mark infected computers in any way, thus it will send infected messages each time a user activates the worm's VBS file.

I-Worm.Melare

Description I-Worm.Melare
Melare is a worm virus spreading via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 6KB in length when compressed by UPX, the decompressed size is about 15KB. It is written in Visual Basic.
The worm activates from infected email only if a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG name. As a result the infected .EXE file is displayed as a .JPG image file (picture), though upon opening this attachment it is executed as true EXE file. When launched from MS Outlook 97 SP2 such attached files are blocked (in the default mode).
The worm then installs itself into the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory under the name csrss.EXE and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SystemSARS32 = %WindowsDir%csrss.EXE

Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:

The beginning of the message body text may be covered by a "JPG attach" icon.
Payload
On the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases this would be the Windows directory).

Home