Rch.1138
Description Rch.1138
This is a benign memory resident polymorphic parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed or opened. On May 20th the virus inserts the following text into the keyboard buffer (i.e. simulates user input):
"Just a joke,Don't mind!"---Rch
Check other viruses! Be aware! Use Antiviral Software
IRC-Worm.Radex
Description IRC-Worm.Radex
This is a virus-worm that spreads via IRC channels. The worm itself is a batch-script file about 3 Kb in length.
The worm copies itself to the following batch files:
C:Windowswinstart.bat
C:WindowsLINUX_SH_DOS_BAT_WIN_JS.bat
C:Win95LINUX_SH_DOS_BAT_WIN_JS.bat
C:Win98LINUX_SH_DOS_BAT_WIN_JS.bat
C:WinMELINUX_SH_DOS_BAT_WIN_JS.bat
The batch file drops and executes the JS file LINUX_SH_DOS_BAT_WIN_JS.JS. This JS file displays a dialogue window with the following Title/Subject:
Radix16/SMF
SH-BAT-JS
After this, the worm creates and sends the new e-mail message to the following address:
Radix16@atlas.cz
The infected messages contain the following:
Subject: SHBATJS
Body: crazzy bat :) testing MS OTLOOK in the (WORLD)
Attach: LINUX_SH_DOS_BAT_WIN_JS.bat
The virus-worm also creates the file C:MIRCSCRIPT.INI. This INI file sends the batch file to the IRC channels.
Installing
While installing, the worm copies its JS component to the Windows directory with the name C:WINDOWSLINUX_SH_DOS_BAT_WIN_JS.JS, and registers this file in the WIN.INI run section.
The worm also contains the following text strings:
# /bin/sh
-=LINUX START=-
-=DOS/WIN START=-
ONLY SAMPLE (TEST) LINUX SH DOS BAT WIN JS all........
WoRlD iS mY
IRC-Worm.Readme.1077
Description IRC-Worm.Readme.1077
This is an IRC worm spreading through IRC channels and using the mIRC client for spreading. The worm appears on a computer as the README.EXE DOS program. When this file is executed by a user, the virus installs itself resident into DOS memory and infects DOS COM files (except COMMAND.COM) that are executed. The virus is encrypted in infected files, and its code is placed at the end of files.
The virus also creates its "dropper" README.EXE on the C: drive (this file has a "hidden" attribute) and "registers" it in the C:AUTOEXEC.BAT in the very first lines: they contain an instruction to execute virus the dropper upon each rebooting.
To spread through mIRC channels, the virus searches for the C:INTERNETMIRCdirectory and creates a SCRIPT.INI file there that contains just one command for sending the README.EXE dropper to anybody joining the infected channel.
The worm contains the following text strings:
;-)x
whose name means dark matter vir-L
|