Virus Database

RedCode.1513

Description RedCode.1513

It is not a dangerous memory resident encrypted parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM files that are closed. On opening or debugging infected files the virus disinfects them. On January 1st the virus displays the messages, runs a video effect and halts the computer:
Viral RedCode Implant
Today's contest between
Big Butt Gasso and Himmler Fewster
BIIIIIIG BUTT GASSSOOOOall WINSSSSS !!!
FEWSTER BANSSSSS GASSSSOOOOOOOO !!!

The virus also contains the text strings:
The RedCode virus by Wintermute/29A; yeah, not a kickass at all,
but with a funny payload, don't you agree ?
Watch the payload !

Check other viruses! Be aware! Use Antiviral Software

I-Worm.MyLife.f

Description I-Worm.MyLife.f

MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:


While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 8Kb.
Decompressed file size : about 25Kb.
Email content:
Subject:
sexxxyyy Screen Saver
Body:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attachment name:
List480.TXT.scr
File name in the infected system:
%SystemDir%List480.TXT.scr
Affected registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
sys=%SystemDir%List480.TXT.scr
Visual effect: when the worm is launched for the first time it displays the following message:

Payload: MyLife checks the current date, if the current minute value is greater or equal to 50, it executes format commands for disks D:, E:, F:, G:, H:, I: and also deletes all the files and directories on disk C: Following these actions the worm shows the following message:

I-Worm.Myparty

Description I-Worm.Myparty

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++.
Infected messages appear as follows:

The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine.
Installing
While installing, the worm copies itself to: c: egctrl.exe - under Win9x/ME
c: ecycled egctrl.exe - under WinNT/2K/XP

and spawns this copy. When the worm's file name is not ".com" (as in the attachment), but rather ".exe" (the worm is re-named), it also opens the Web page "http://www.disney.com".
The original file (as it was run from an infected e-mail) is moved to the Recylced or Recycler directory with one of the following names:
C:RECYCLERF-%1-%2-%3
C:RECYCLEDF-%1-%2-%3

where %1, %2, %3 are randomly selected numbers, for example:
F-12158-19044-21300
F-27729-23255-31008

While installing, the worm checks the keyboard layouot set, and when there is Russian keyboard support, the worm copies itself to Recycled/Recycler in the same way and exits. This is the same on any date except for 25-29 January 2002.
As a result, the worm works only from 25 until 29 January 2002, and only on machines without Russian keyboard support.
Spreading
To send infected messages, the worm uses a direct SMTP connection to an e-mail server. To obtain a victim's e-mail addresses, the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express).
The worm also sends one e-mail (without an attachment) to "napster@gala.net".
Backdoor
Under WinNT/2000/all the worm also creates a new file in a user's auto-run directory:
%Userprofile%Start MenuProgramsStartupmsstask.exe
and writes a backdoor program to there. This backdoor is run by data that are stored in a file at the Web site "http://209.151.250.170".
Known Variants
Myparty.b
This one is a slightly modified 'a' version. The differences are:
The attached file name is "myparty.photos.yahoo.com".

Home