Virus Database

Rlyeh.1178

Description Rlyeh.1178

It is a very dangerous nonmemory resident encrypted overwriting virus. It searches for COM files, then overwrites them. The virus displays the text:
+----------------------+-------------------------------------------------------+
| _ | Ph'nglui mglw'nafh Cthulhu R'lyeh wagn'nagl fhtagn. |
| /\___[X]___/ | In his house in R'lyeh dead Cthulhu waits dreaming. |
| / /| +-------------------------------------------------------+
| / / / | This virus demonstrates interrupt trapping, anti- |
| /\/ | |/ // | heuristic code, EXE/COM determination, executable |
| || || | data statements, heap use, code length determination, |
| _|| ||_ | simple (XOR) encryption, and overwriting replication. |
+----------------------+-------------------------------------------------------+
| FOR DEMONSTRATIONAL AND EDUCATIONAL PURPOSES ONLY · NOT FOR PUBLIC RELEASE |
+------------------------------------------------------------------------------+
ERROR: No infectable files found!
ACTIVE: Infection in

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Heyya

Description I-Worm.Heyya

This is worm virus spreading being attached to Email messages, through IRC channels, infecting PE EXE files (Win32 executable files), VBS files and incorporating its copies to RAR and ARJ archives. The worm itself is Win32 executable file about 28Kb of length, and it infects Win32 machines only.
The worm has many bugs and in most of cases crash the system or corrupt files while infecting them.
Installing
When infected file is run, the worm copies itself to Windows system directory with one of the names randomly selects from following list depending on current day:
napster.exe
newbillgates.exe
HonNaCigana2.exe
FreeSoftGSM.exe
game.exe
call.exe
To access that copy later by its name the worm stores that name in Registry key:
HKLMSOFTWAREInfluenzaLab
MicrosoftOE = %wormname%
where %wormname% is the file name of worm copy (it will be used below as well).
The worm also copies itself to Windows directory with PornoChat.exe name and registers that file in Registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
MicrosoftOE = %WinDir%PornoChat.exe
Updating
The worm is able to update itself. To do that it sets start page for MS Internet Explorer to "www.volny.cz/radix16/flu/update.gif". As a result on each Internet Explorer that GIF file is downloaded to affected machine. The worm then copies that file with C:updateFLU.gif name and processes it.
That can be not usual GIF image file - the worm looks for data that is attached to main GIF image data. The attached data has special format. It may contain a list of email addresses (it is stored to C:Heyya.txt file and is used later) and/or EXE file image.

I-Worm.Homepage

Description I-Worm.Homepage

This is an Internet worm that widely spread on 9 May 2001. The worm is written in Visual Basic Script language (VBS) and spreads as a "homepage.HTML.vbs" file attached to an e-mail message.
This is a usual Loveletter-like VBS worm, but it is encrypted (encoded) to bypass heuristic scanners.
This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses are kept in MS Outlook contacts list.
It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in case one of these MS Oulook versions is installed.
The infected message in the original worm version appears as follows:
Subject = "Homepage"
Body = Hi!
You've got to see this page! It's really cool ;O)
After spreading, the worm randomly opens one of four adult-orientated/pornographic pages to keep a user unaware.
To avoid double spreading from the same machine it creates the "HKCUsoftwareAnmailed" registry key and writes a "1" value to there. This is done so it does not spread from one to the same machine twice.

Home