Virus Database

RiftVilly family

Description RiftVilly family

These are harmless memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files. "RiftVilly.469" intercepts file access to DOS functions and infects COM files that are executed, opened or renamed; "RiftVilly.490" does the same with EXE files. "RiftVilly.480" intercepts a ChangeDir DOS function, and upon such calls, searches for .COM files in the current directory and infects them.
The viruses contain the following text strings:
"RiftVilly.469": Rift Villy v.3.4
"RiftVilly.480": Rift Villy v.3.1
"RiftVilly.490": Rift Villy v.4.0

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Ligon

Description I-Worm.Ligon

This is an Win32 e-mail worm. The worm has two components:
Main: a Win32 application (PE EXE file) that is about 360K in size, and written in Delphi.
Helper: a VBS script program that intends to spread the worm over a local network.
The main worm component sends itself to other machines attached to e-mails as an EXE file that may have 16 different names (see below). While spreading, it uses MAPI to connect to an e-mailer.
The main component also drops an additional VBS script helper (local network worm) to a local disk and spawns it.
Main Component
When an infected file starts (being activated by a user from an infected message or from any other source), the worm copies itself into the Windows directory with "PCpower.exe" and into the Windows system directory with the "MyLinong.exe" name. The worm then drops the "MyLinong.VBS" file (VBS helper) into the Windows system directory.
These files are then registered in the system registry auto-run keys:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
PCPower = %windir%PCpower.exe
MyLinong = %winsystemdir%MyLinong.exe
Linong = %winsystemdir%MyLinong.vbs
The EXE files are two worm copies, and they will be activated by Windows upon each restart. The VBS file is a VisualBasic script program (see below).
Spreading
To spread, the worm scans the Inbox for the 50 first messages, obtains messages that have at least one attached file, and replies with an infected message. The infected message has a Subject, Body and Attached file that is randomly selected from 16 variants:
Attached file names:
CFusion.Exe
PatchFusion.exe
MyLinong.Exe
Light up the night.exe
StarMild.exe
Kiss.Exe
Sexy.Exe
Popeye.exe
Olive.exe
BullBull.exe
Moly.exe
Lovely.exe
868879.exe
help.exe
BillGate
Mikropos
Subjects:
Info From CFusion
Patch Your CFusion
Still Remember You
Light Up The Night
Man Choice
Kiss Me
Sexy Model
Popeye Cartoon
Olive & Popeye
MyGirlFriend Dogs
My Girl Friend' Dogs
Sweet Lovely
Password
Need Help
Bill
Mikropos
Message bodies:
You can update your Cfusion Online For Free
Are You Ready Fix Your Cfusion,Please Update
She is MY sexy Linong
Light up The Night PARTYall
Are You Man or women. This is The sponsor from our site The man choice
100 way to kiss your GirlFriend or your boyfriend
Did you ever see the sexy girls like her
The New Popeye New Cartoon NetWork
Olive And Popeye Cartoon
Nice dog...
Good Dog and Smart dogs
My Icq Friend Sweet and Lovely
Here The list of Nude Password Website. All of them Still Active, and few of them are death password
Do you need help ? to get money over the internet. You can read the help
Bill..
The New Mikropos Software From Mikropos Network
Payload
The worm creates the following directories:
"C:Linong I Love U So Much Linong For ever My Love%n"
where %n are numbers from 0 to 500 (in some cases, the worm fails to create directories, so the upper limit of directory number may be less than 500).
The worm displays the following messages:
on June 25th:
Message From Me
Happy Birthday To MyLinong
Still Remember Me...
on July 22nd:
Today I want tell you Once again that
I LOVE U SO MUCH LINONG
Hey user, Please Help me to Tell the world
That I Love Her So Much
on November 14th:
Hi..Nong..I Love You So much.
But today we must Say GoodBye For ever
I wait U in the next Life, and Remember I Love You So Much
VBS Helper
This is a modification of the VBS e-mail worm "I-Worm.Linong" and works as a helper to the main EXE component.
When it is run by Windows (because it is registered in registry Run= key), it obtains the IP address of the local machine, and then scans the sub-net (for example, if the local machine's IP is 10.10.10.1, the worm will try to connect to all machines by using addresses 10.10.10.n, where 'n' is a number from 1 to 254).
In the case there are machines with such addresses, the worm tries to gain access to their C: drives and copy itself there to the following directories:
"C:"
"C:windowsstartm~1programsstartup"
"C:windows"
"C:windowsstart menuprogramsstartup"
(there is a bug in this routine, and the worm fails to perform this).
The worm then tries to send its EXE component from the infected machines, with the messages containing the following:
Subject: One of this mail
Body: True Story....
Attach: mylinong.exe
(this routine has a bug too, and the worm fails to spread itself).
The worm then, as well as "I-Worm.Linong", performs the following:
creates 600 empty directories Ñ:LINONG I LOVE YOU MY FOLDER%n (where %n is number from 1 to 600)
creates its copies with the following names:
%windows%mylinong.txt.shs
%windows%SYSTEMKern32Lin.vbs
%windows%Vbrun32DLL.vbs
%windows%SYSTEMmylinong.TXT.vbs
and registers a non-existing file in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices Vbrun32DLL = %windows%Win32DLL.vbs
The worm then creates an HTA file and opens it, which, as a result, displays the text:
I Love You
Linong
You are the love of my love, 5173n1n3ty31gh7
Almost One Year.., Miss U
01*29**879
01*29**868
*-*

I-Worm.Linong@@@I-Worm.Linong

This is an Internet VBS worm that spreads attached to e-mails. To spread the worm opens MS Outlook, gets access to address book, gets all addresses from there and sends itself to all these addresses. The infected

Description

I Love You, MyLinong - 5it3Ninty8

Home