Virus Database

RIP.3214

Description RIP.3214

It is a dangerous memory resident parasitic virus. While executing an infected program the virus searches for .COM files, then it writes itself to the end of the file. Then it hooks INT 1Ch, 20h, 21h, 27h, 2Fh and infects .COM files that are executed. In some cases the virus erases the disk files, displays the message:
RADiCAL_iNVADiNG_PARASiTE(RiP)-ViRUS, iN 94/95 BY AeMlSc, SAYZ Hi 2 U!

The virus also contains the text strings:
*.COM
COMMAND
DELTREE /Y >NIL:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Petik.b

Description I-Worm.Petik.b

This is an Internet worm that spreads as a 6.5Kb NETFRIENDS.EXE file attached to e-mail messages. To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting the mIRC client.
When the worm starts (if a user clicks on the EXE attached to the message, or accepts an IRC download), the worm copies itself to the Windows system directory with Iesetup.exe and NetFriends.exe names.
The Iesetup.exe file is then registered in the auto-run section:
in the WIN.INI file, [windows] section, "run=" key - under Win9x
in the system registry in "Run=" key - under WinNT
The worm then creates the C:Friends directory, creates the MAYA.VBS script file there and spawns it. This script file then spreads the worm with e-mail messages.
While spreading, the script connects to MS Outlook and sends infected e-mail messages to all addresses in MS Outlook Address Book. The messages contain:
Subject: Would you like a Net Friend ?
Body: Look at this zip file to find a Net Friend
Attachments: NetFriends.exe
The worm then affects the mIRC client in the following directories:
C:MIRC
C:MIRC32
The infected mIRC client sends a worm copy (Iesetup.exe file) to all users that join the infected channel.
The worm then displays the following fake error message:
WinZip Self-Extractor WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error
The worm also modifies the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersion
RegisteredOwner = Maya, Laurent, Etienne
RegisteredOrganization = PetiK Corporation
On the 5th of each month, the worm displays the following message:
I-Worm.Friends
Coded by PetiK (c)2001
To my friends Maya and Laurent

I-Worm.PIF.Fable

Description I-Worm.PIF.Fable

This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine.
In infected systems, the worm can be found in three different forms:
- as a PIF file itself
- as a DOS BAT file spreading on a local computer
- as an INI script to spread through IRC channels
All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different.
The worm also drops a VBS-script file-helper to spread by e-mail.
After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT that then is executed as a DOS batch file. This batch file makes several more copies in different directories and with different names. There are more than 30 files, for example:
%WinDir%CommandMS_Dos_Prompt.pif
%WinDir%MS_Dos_Prompt.pif
%WinDir%Game.pif
%WinDir%MrBat.bat
%WinDir%Plans.bat
%WinDir%TasksDefault.bat
Some of these files have the attributes "Hidden" and "Read-Only." Separately, the worm creates INI files for mIRC clients and VBS-script files:
%WinDir%Blah.vbs
%WinDir%Blah2.vbs
C:mIRCScript.ini
C:Program FilesScript.ini
The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through API Outlook and creates and sends a message to every recipient in the Address Book. The message contains randomly chosen subject from the following texts:
Fable
Something You Should Read
Very Important That You Receive This
The body of the message consists of one of two phrases:
A nice little fable
Wanted to make sure you received this
The FABLE.PIF file is attached to every message.
After the messages have been sent, the worm takes out the text message:
The Grasshopper and the Owl An Owl, accustomed to feed at night and to sleep during the day, was greatly disturbed by the noise of a Grasshopper and earnestly besought her to stop chirping. The Grasshopper refused to desist, and chirped louder and louder the more the Owl entreated. When she saw that she could get no redress and that her words were despised, the Owl attacked the chatterer by a stratagem. "Since I cannot sleep," she said, "on account of your song which, believe me, is sweet as the lyre of Apollo, I shall indulge myself in drinking some nectar which Pallas lately gave me. If you do not dislike it, come to me and we will drink it together." The Grasshopper, who was thirsty, and pleased with the praise of her voice, eagerly flew up. The Owl came forth from her hollow, seized her, and put her to death.

Home