Virus Database

Radyum.448

Description Radyum.448

These are harmless nonmemory resident encrypted parasitic viruses. They search for .COM files and write themselves to the end of the file. They contain the text strings:
radyum, the attitude adjuster, brought to you by ViRuLeNT GRaFFiTi
*.COM

"Radium.503,509" contains the string:
lythyum, the attitude adjuster, ViRuLeNT GRaFFiTi

Some of "Radium" create HELLO.RAD ot LITHIUM.HI! files and write into it the messages:
"Radium.698":
radyum-b, by the attitude adjuster,
brought to you by ViRuLeNT GRaFFiTi
07/31/92 Greets to Gary Watson!
look for us again in the future.

"Radium.707":
radyum, version 2, by the attitude adjuster,
brought to you by ViRuLeNT GRaFFiTi
07/31/92 Greets to Gary Watson!
look for us again in the future.

"Radium.860":
radyum-c, by the attitude adjuster,
brought to you by ViRuLeNT GRaFFiTi
08/18/92
6 out of 16 bytes will keep the same
position and value, not too bad in my
book! greets to patti hoffman, i love you!

"Radium.1072" leaves the memory resident program which hooks INT 8 (timer) and displays the messages:
Unsuspecting user, 12 o'clock!
Get readyall 'cause... THERE'S A VIRUS IN YOUR SOUP!
From the guys that brought you Lythyum, Radyum, and VioLite comes
The Soupy Virus, (k) 1992 VG Enterprises, 216/513/602/914/703
By The Attitude Adjuster & AccuPunk!
Hurry! Hire an Anti-Virus Professional! Increase Wallet Space!
...hmmm, ya' know, I think I'll halt now...
[Soupy]
The Attitude Adjuster & AccuPunk, VG
08/23/92 to 12/02/92
Bad command or file name

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sircam

Description I-Worm.Sircam

This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.
Upon being executed (by clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.
E-mail Spreading
The worm sends itself from infected machines as an attached file with a variable name and double extension:
filename.ext1.ext2
where "ext1" can be one of the following variants: DOC, XLS, ZIP, or EXE.
The worm from the following variants randomly selects the "ext2" extension: PIF, LNK, BAT, COM. For example:
feb01.xls.pif
normas.doc.bat
The "filename.ext1" comes from the original files that are located on an infected machine. The worm looks for a "ext1" file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm's EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).
As a side effect such an "appended file" spreading method may cause confidential info disclosure.
The worm message Subject is "filename" as above (exactly the "filename" of the attached file).
The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:
first line:Hi! How are you?Hola como estas ?
last line:See you later. ThanksNos vemos pronto, gracias.

The variants of text between these lines are:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la información que me pediste
The worm obtains a victim's e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:
SCD.DLL file contains list of "ext1" files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.
There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.
To send infected messages the worm connects to a SMTP server. The name of SMTP server the worm gets from default system settings. If the worm fails to get default server, it tries following ones:
dobleclick.com.mx
enlace.net
goeke.net
Installation to System
The worm copies itself to:
RECYCLED directory on a Windows drive with the SirC32.exe name, for example:
C:WINDOWSC:RECYCLEDSirC32.exe
Windows system directory with the SCam32.exe name.
Windows directory with the ScMx32.exe name.
Windows start-up directory with the "Microsoft Internet Office.exe" name.
Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.
The attributes of all these files are then set to "Hidden".
Two first files then are registered in the system-registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Driver32 = %windows system directory%SCam32.exe

HKCRexefileshellopencommand
SirC32.exe
The worm then extracts an appended "decoy" file (see above) to the Windows TEMP directory, with the "decoy" file having the "filename.ext1" name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on "ext1".
The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLMSOFTWARESirCam.
Network Spreading
To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a " ecycled" directory in the victim's shared directory, the worm copies itself to this directory with the SirC32.exe name:
ecycledSirC32.exe
The worm then appends to the end of the AUTOEXEC.BAT file the following command:
@win ecycledSirC32.exe
If there is a "Windows" directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.
The worm then sets hidden attributes to its copies.
Payload
Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in all directories on drive where Windows is installed, and removes all directories in there as well.
Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright L 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
It appears to be that the worm writes these texts many times to fill free disk space.
These strings (as well as most of the other text stings) are encrypted in the worm's body.
Fortunately, there is a mistake in virus code and these routines are not executed in this way. However the first routine (erasing files on Windows drive) is executed in case worm's copies SIRC32.EXE, SCAM32.EXE, RUNDLL32.EXE are renamed to any else name and run.

I-Worm.Sober.c

Description I-Worm.Sober.c
Sober.c is a worm that spreads via the Internet as an attachment to infected emails. The worm itself is Windows PE EXE file about 73KB (the file size can be changed by the worm during installation). The worm file is compressed by UPX, decompressed size - about 260KB.
The infected messages have various subjects, body texts and attached file names. The attached file extension is randomly selected from variants: "bat", "cmd", "pif", "scr", "exe" and "com".
For example:
Subject:
why me?
Body:
You say in the www. that i'm a terrorist!!!
No way out for you. I REPORT YOU !
You've said THAT about me
Attachment:
terror-list.com
The worm activates from infected email only if a user clicks on attachment.
Installation
During installation the worm copies itself three times to the Windows system directory with random names and registers these files in the system registry auto-run keys:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"<random name>" = "%System%<worm exe name>"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
"<random name>" = "%System%<worm exe name>"
for example: "jv32dirxpcon = xqdrv.exe"
The worm then displays a fake error message:

Propagation
The worm looks for disk files with following extensions:
htt
rtf
doc
xls
ini
mdb
txt
htm
html
wab
pst
fdb
cfg
ldb
eml
abc
ldif
nab
adp
mdw
mda
mde
ade
sln
dsw
dsp
vap
php
asp
shtml
shtm


and scans them for email-like text strings, and then sends infected messages to the email addresses it finds using an SMTP engine.
The subject in infected emails is randomly selected from following variants:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing all
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
The body text is selected from the following variants:
Sorry, that's your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Registration confirmation
registration confirmation
The body text is selected from the following variants:
i'm very very sorry, anybody have sent your mail to my address.

sorry for my bad english, I am a Swede!

excuse for my bad english, but I'm a Dutchman

I've got your mail, but its came on my mail address??? i've read this mail
,,, sorry about that excuse for my bad english, but I'm a Dutchman
I don't know how to start this! I'm dull,, can you test!?
Here, the DigiCam photos. A few are overexposed.
That you've killed this bastard. Your reward:
That you have paid for me! And that's your

Caution: To all gamers A new worm spread via online gaming! You must change your internet
configuration!! see: www.onlinegamerspro-worm.com set_config.

Attention: To all gamers
More than 75.000 freeware games!!! Genre: -> 8500 online games = 3D
Shooter, RPG, Action, Adventure, ... non online games: -> Action = 4200
games -> 3D Shooter's = 7500 games -> RPG's = 6800 games -> Adventure's =
5400 games -> ROM's for NES, SNES, PS1&2, GC ,GB, MD, SMS, .. = 29.000
ROM's - others = 16900 games all free!! Download and enjoy downloader.exe
www.freegames4you-gzone.com
I-Worm.Sober

You say in the www. that i'm a terrorist!!! No way out for you. I REPORT YOU ! You've said THAT about me

Thanks for your registration. ( We say Sorry again, the first mail was delivered to an unknown
mail address. This was a bug in our mailing system! ) The amount of 239.- USD was deducted by
your xxx Welcome, you can now visit more than 1200 very very hot web pages! Your registration,
pages and passwords are xxx in the attachment.

I said, I love you..,, and you said NOTHING. And now,,, Go Away From Me Here are my
love-letter((s)) mock me mock me again and again . Enjoy it. blablabla GO!

You get the charge in writing, in the next days.
In the next days you will receive the charge in writing.
In the next days, you'll get the charge in writing.
In the next days, you'll get the charge in writing.

Ladies and Gentlemen, Downloading of Movies, MP3s and Software is illegal
and punishable by law. We hereby inform you that your computer was scanned
under the IP xxx. The contents of your computer were confiscated as an
evidence, and you will be indicated. In the next days, you'll get the
charge in writing. In the Reference code: #xxx, are all files, that we
found on your computer. The sender address of this mail was masked,
xxx- You get more detailed information by the Federal Bureau of
Investigation -FBI-- Department for Illegal Internet Downloads, Room 7350 -
935 Pennsylvania Avenue - Washington, DC 20535, USA - (202) 324-3000

In the next days, you'll get the charge in writing.
e.t.c.
The attachment name is also randomly selected.

Home