Virus Database

Radio.2076

Description Radio.2076

It is not a dangerous memory resident parasitic polymorphic virus. It hooks INT 9, 1Ch, 21h and writes itself to the end of COM and EXE files (except W*.* and AI*.*) that are executed or opened. Depending on its counter (approx. in 6 minutes after activation) the virus displays a message in Russian. On Alt-Ctrl-Del the virus displays the picture:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BERZIN FANS CLUB PRESENT
XX XX XX XX XXXXXX XXXXXX XXXXXXX
XXX XXX XX XX XX XX XX XX XX
XX X X XX XX XXX XX XX XXXXX XX XX
XX X XX XX X XX XXXXXX XX XXXXXXX
XX XX XXX XX XX XX XX XX
XX XX XX XX XX XXXXXX XX XX
TEL:(095)434-00-00 OR 03
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Moncher

Description I-Worm.Moncher

This is an Internet worm that spreads via e-mails attached as a EXE or ZIP file. The worm itself is a Win32 executable file about 37Kb in length, and written in Visual Basic. The worm is also able to spread via IRC channels.
When the worm's EXE file is being run from an attachment or from an IRC download directory, it registers itself in the system to run each time Windows starts up, and it sends infected messages. To hide itself, the worm displays two fake messages:
INSTALL
Install complete.

ERROR!
Unable to run program!
While installing into the system, the worm copies itself to the Windows directory with the WINHLP.EXE name, creates the VBS script file "helper" OUTLOOKHELP.VBS in the same directory, and registers these files in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
WinProfile = %WinDir%winhlp.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
OutlookProfile = %WinDir%outlookhelp.vbs
where %WinDir% is the name of the Windows directory.
The first (EXE) file is the worm's main code, and the second (VBS) file is the e-mail spreading program.
When the VBS script is run, it connects to MS Outlook, obtains the addresses from the MS Outlook Address Book, and sends messages there. The message Subject, Body and Attachment appear as follows:
Subject: With Love
Body: Whit all my love for you. :)
Attach: Winhlp.exe èëè MonCherry.zip
The worm infects the mIRC client if it is installed in the C:MIRC directory. The worm writes a script to the SCRIPT.INI file in there that sends an infected WINHLP.EXE file to each user that enters the infected IRC channel.
On January 13th, the worm overwrites the C:AUTOEXEC.BAT file with a DOS batch program that will format the C: drive upon the next reboot.

I-Worm.MsWorld

Description I-Worm.MsWorld

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 130K of length. The worm is written in Visual Basic language.
When the worm file is run (double click on attached EXE file) it displays "miss World" pictures, for example:

and then runs spreading and two trojan routines.
To spread the worm uses a standard way. It connects to MS Outlook, gets up to 50 addresses from address book and sends messages to there. The messages have:
Subject: Miss World
Body: Hi, %èìÿ ïîëó÷àòåëÿ%
Enjoy the latest pictures of Miss World from various Country
The attached file has the name of original EXE file that was activated. The "original" EXE file name in which the worm was received is MSWORLD.EXE.
Next the worm appends to the end of C:AUTOEXEC.BAT file DOS batch commands that display the message:
This Everything for my Girl Friendall......, (CatEyes, KRSSL, SS Hostel)
and then format all local fixed drives.
The worm then tries to delete the system registry files and their backups:
SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0
Because .DAT these files are usually locked by system, the worm fails to delete them.
The worm then exits.

Home