Virus Database

Scorpion.2278

Description Scorpion.2278

It is a very dangerous nonmemory resident encrypted parasitic virus. When an infected file takes control, the virus infects the C:COMMAND.COM file. The virus then searches for COM and EXE files, then writes itself to the end of the file. While infecting the C:COMMAND.COM the virus writes itself into the "hole" at the end of the COMMAND.COM. As a result, the length of the C:COMMAND.COM file stays the same.
The virus deletes the CHKLIST.MS file, if it exists. In some cases the virus searches for other files and deletes them. Depending on the system data and installed hardware the virus formats the hard drive sectors, displays the message, hooks INT 1Ch and plays a tune. The message looks as follows:
+---------------------------+
¦ DEATH ON TWO LEGS V2.8 ¦
¦ (c) BLACK SCORPiON, 1996 ¦
¦ Written in Moscow ¦
+---------------------------+

The virus also contains the text strings:
*.* *.EXE *.COM
C:COMMAND.COM
DEATH ON TWO LEGS WAS HERE

Check other viruses! Be aware! Use Antiviral Software

I-Worm.GOPWorm

Description I-Worm.GOPWorm

This is a virus-worm that spreads via the Internet attached to infected e-mails and through a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 60Kb in length (compressed by UPX), and it is written in Delphi Microsoft Visual C++.
The worm is an improved variant of the PSW Trojan {"GOPtrojan":Trojan_PSW_GOPtrojan}.
The infected message's Subject and Body are in Chinese. The attached file name is different, and has a double extension:
filename.jpg.exe
filename.jpeg.exe
filename.gif.exe
filename.txt.exe
filename.doc.exe
filename.rtf.exe
filename.bmp.exe

To run from an infected message, the worm uses an IFrame security breach.
While installing, the worm uses the same method as "GOPtrojan", the additional feature is an affected Registry key:
HKCRexefileshellopencommand
To send infected messages, the worm uses direct access to an SMTP server. The worm obtains victim e-mail addresses by scanning *.HTML, *.HTM, and *.JS files, as well as by scanning TheBat, Aerofox and RimArts e-mail databases.

I-Worm.Guorm.a

Description I-Worm.Guorm.a

This is an Internet worm that spreads itself as an attachment to e-mail messages. To send infected messages, the worm uses VBS script and MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
There are several versions of the worm. The first is a pure VBS script; another is a Windows executable file that drops a VBS script to infect e-mail messages; the third is an MS Word document with a macro-program inside. All of these worm versions have similar functionality and infect the system in very similar ways.
When the worm file is activated (by double clicking on an attached file in infected messages, or being accepted as an IRC download), it copies itself into the WINDOWS System directory with different names depending on the version:
USER.DLL, WINUSER.EXE
WINUSER.DLL, USER32.DLL.VBS
The worm does not register these files in the system, so these files are not automatically executed then.
The name of the Windows directory is hardcoded in the 1st virus version body (C:WINDOWSSYSTEM), so the virus is not able to spread in the case that Windows is installed in another folder.
While mailing its copies, the worm drops a GUORM.VBS script file (or GUORMEX.VBS - depending on the version) to the Windows TEMP directory and spawns it. The script program connects MS Outlook, gains access to the address book and sends worm copies to all addresses listed there. The worm messages contain:
Subject: You know what it is!. ;-P
Body: Hey, here you have!.
The attachment name differs depending on the worm version. The first worm version (sent as a Windows EXE file) has only one variant of the attached file name in infected messages: WINUSER.EXE
Other versions use a combination of randomly-selected names and extensions from the following variants:
Extensions: .VBS, .VBE, .TXT.VBS, .JPG.VBS, .AVI.VBS, .SCR.VBS
Names: links, cool, funny, anti-loveletter, guorm, pot, win2k, icq2k, money, funnypic.jpg, quake, Year2K+1, Mirc2K, Word2001, FunStuff, WindowsMe
To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed). This file contains a set of instructions that sends a worm file to everybody who enters an infected channel.
The worm contains the following "copyright" texts:
BrainMuscle + OldWary + KALAMAR
Guorm

Home