Virus Database

Selectron Family

Description Selectron Family

These are not dangerous memory resident parasitic viruses. They hooks INT 21h and writes themselves to the end of COM ("Selectron.1800") or EXE files that are executed or opened. They contain the text strings:
"Selectron.1112": (C) Selectronics Software
"Selectron.1258": Digouter"01/15/88"
(C) Selectronics Software
"Selectron.1800": (C) Selectronics Software
Virus has been disabled.
Countdown to Extinctionall

"Selectron.1112" also hooks INT 8, 9. On Sunday when Alt-Ctrl-Del keys are pressed, it manifests itself with the video and sound effects.
"Selectron.1258" hooks INT 9, 10h, 1Ch. Under debugger is beeps with PC speaker and reboots the computer. When Alt-Ctrl-Del keys are pressed, it slowly turns the screen off by using VGA card features.
"Selectron.1800" is the encrypted virus. On Friday, 13th or depending on the host file name the virus displays:
Countdown to Extinction...

and manifests itself with the sound and video effects.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Lucky

Description I-Worm.Lucky

This is a family of Internet worm that spread via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook and send themselves to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses are maintained in the MS Outlook contacts list.
There are two worm variants known. Both have bugs in their code and are not able to spread, but these bugs can be easily fixed by a hacker.
The worms are written in the scripting language "Visual Basic Script" (VBS), and they work only on computers on which the Windows Scripting Host (WSH) is installed. In Windwos 98 and Windows 2000, WHS is installed by default. To spread, the worms access MS Outlook and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Oulook versions is installed.
Spreading
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:
The Subject: Prinz Charles Are Die
Message body: The newest Message for Cool User's. Lucky2000
Attached file name: COOL_NOTEPAD_DEMO.TXT.vbs
Depending on system settings, real extension of an attached file (".vbs") may not be shown. In this case, the filename of the attached file is displayed as "COOL_NOTEPAD_DEMO.TXT".
Upon being activated by a user (by double clicking on the attached file), the worm dispalys the following message:
eXposed
eXposed is being installed
Then it creates a shortcut on the desktop to a PIF-file that exits Windows. The worm sets a shortcut icon to a non-existing file, so the shortcut has a standard icon - a windows flag with white background. After this, the worm displays the following message:
CLICK THE BLUE BOTTLE ICON ON THE DESKTOP OR YOUR HARD DRIVE WILL BE LOST!
eXposed IS A VIRUS IT WILL DAMAGE YOUR COMPUTER
Then the worm begins speading - it opens MS Outlook, gets access to the Address Book, gets all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
The worm also installs itself into the system. It creates its copy in the Windows directory with the "Prinz_Charles_Are_Die.TXT.vbs" name:
This file is then registered in the Windows auto-run section in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunPrinz_Charles_Are_Die = Prinz_Charles.Are.Die.TXT.vbs
As a result the worm is re-activated each time Windows boots up.
Other variants
The worm itself is a text script program, and it is spread in text source form. The worm's code may be easily modified by hackers, and as a result, there are many variants of the worm that may have appeared. Usually only minor changes are made.
I-Worm.Lucky.b
This worm variant is very close to the first one. Upon being activated, it displays other messages:
Price
Price are here
and:
CLICK THE BLUE BOTTLE ICON ON THE DESKTOP AND YOU WIN ONE MILLION DOLLAR !!!
The infected message contains:
The Subject: Won_a_Price
Message body: One Million Dollar for you. Lucky2000
Attached file name: Won_a_Price.TXT.vbs

I-Worm.Magistr.a

Description I-Worm.Magistr.a

This is a very dangerous memory resident Win32 worm combined with virus infection routines. It spreads via the Internet with infected e-mails, infects Windows executable files on an infected machine (local machine), and is able to spread itself over a local network.
The virus has an extremely dangerous payload, and depending on different conditions, it erases hard drive data, CMOS memory and Flash memory in the same way the Win95.CIH(aka Chernobyl) virus does.
The virus contains the following "copyright" text in its body:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler. written in Malmo (Sweden)
The virus itself is about 30Kb in length and is written in Assembler, being very large for a virus written in pure Assembler language. This large size however is caused by the virus' Win32 EXE files infection algorithm, e-mail and network spreading routines, polymorphic engines (there are two), payload routines and many anti-debugging and other tricks used by the virus to make its detection and disinfection more difficult. Thus, this virus is one of the most complex viruses that are known at the moment.
The virus was found in-the-wild in the middle of March 2001.
Infected File Run
When the virus is run (from an infected message, for example, if a user clicks on an infected attachment), it installs itself as memory resident in Windows memory, then runs in the background, lies dormant for few minutes and runs its routines: local and network Win32 EXE files infection, e-mail spreading, etc.
To install itself as memory resident, the virus gains access to the EXPLORER.EXE process memory (the EXPLORER.EXE program image that is actually run and active in Win32 memory), patches it with a short 110-byte "loader" routine that runs the main virus code in EXPLORER's memory. So, the virus installs itself as memory resident as a component of the EXPLORER.EXE process, and then operates in the background (being run as EXPLORER's thread). Before running its routines, the virus lies dormant for 3 minutes.
The virus then obtains a file (usually the first file) in the Windows directory, infects it and registers this file in the Windows auto-run Registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRun and in WIN.INI file in the [windows] section in the "run=" instruction. So, the virus code is activated upon each Windows restart.
This file is infected so that the host program is not activated after the virus is run (control is not returned to the host program, and an infected application just exits). Thus, the virus activates itself from the system Registry or from a WIN.INI file without any side effects (as an unasked-for application run upon each Windows start-up).
The virus then runs its infection routines, scanning directories and available drives for Win32 PE .EXE and .SCR files and infecting them. First of all, the virus tries WINNT, WINDOWS, WIN95 and WIN98 directories and infects files in there. This routine is randomly activated in 3 out of 4 times.
Next, the virus scans all local drives and infects files in them.
The virus then enumerates network resources that are shared for full access, looks for WINNT, WINDOWS, WIN95, and WIN98 directories in there, and infects files in these directories. The virus also registers itself in there by writing a "run=" instruction to a WIN.INI file. Thus, remote Win9x systems are infected upon the next Windows start-up.
While processing the drives, the virus creates a special .DAT file for its own use. The file name and location depends on the network name of the current machine, for example:
Machine name File name

WIN98 -> CQL98.DAT
PUPKIN -> JEJOQL.DAT
CS-GOAT -> WG-SKYF.DAT

This file is created in the Windows directory, or in the ProgramFiles directory, or in the root directory of the C: drive, or in the root directory of the system drive.
Infecting Files
The virus infects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with a polymorphic engine and writes this to the end of the file. To gain control upon infected-file start-up, the virus patches a victim-program entry code with one more polymorphic routine that passes control to the end of the file to the main encrypted virus code.

The virus infection routine has bugs, and in some cases, it corrupts files while infecting. These files are not disinfectable and should be deleted.
E-mail spreading
To send infected e-mails, the virus reads e-mail client settings for three clients from the system registry that is installed:
Outlook Express
Netscape Messenger
Internet Mail and News
The virus then scans the e-mail database files and obtains e-mail addresses from there and sends its copies there.
The Subject is empty or randomly constructed from words and sentences that are found in .DOC and .TXT files in the system (the virus also scans local drives for these files and obtains texts from there). Also in a random manner, the virus uses words and sentences from the following list:
sentences you ayant délibéré
sentences him to le présent arrêt
sentence you to vu l',27h,'arrêt
ordered to prison conformément à la loi
convict exécution provisoire
, judge rdonn
circuit judge audience publique
trial judge a fait constater
found guilty cadre de la procédure
find him guilty magistrad
affirmed apelante
judgment of conviction recurso de apelaci
verdict pena de arresto
guilty plea y condeno
trial court mando y firmo
trial chamber calidad de denunciante
sufficiency of proof costas procesales
sufficiency of the evidence diligencias previas
proceedings antecedentes de hecho
against the accused hechos probados
habeas corpus sentencia
jugement comparecer
condamn juzgando
trouvons coupable dictando la presente
à rembourse los autos
sous astreinte en autos
aux entiers dépens denuncia presentada
aux dépens

While looking for .DOC files in the system, the virus can obtain an MS Word document file instead of a "pure" text file, thus, it is possible the the "Subject" field will contain "garbage" - random letters that the virus obtains from the binary structure of MS Word documents.
The messages may have no body (no text in the message), or randomly constructed as well as a Subject (see above).
The Attached file name variable. The virus looks in the system for a PE .EXE or .SCR file of up to 132K in length, infects it and attaches to the message.
In some cases, the virus fails to infect the file, and an "infected" e-mail message exits a computer without an infected .EXE or .SCR file.
In one out of five cases, the virus also attaches a .DOC or .TXT file that has been found in the system while the virus was scanning files for Subject and MessageBody texts. So, a randomly selected .DOC or .TXT file may escape fromthe system, possibly causing the disclosure of confidential information.
All in all, the message the virus sends out of an infected PC contains the following:
"strange" or empty Subject and message body
.EXE or .SCR file (infected or clean)
that is possible the message also have second attached file - .DOC or .TXT
While sending infected messages, the virus connects to one of three e-mail servers using SMTP protocol, and sends messages to there.
In 4 out of 5 cases, the virus randomly corrupts a second letter in the sender name.
The virus stores ten e-mail addresses of already infected users (a history of spreading - the 10 most recent e-mail addresses the virus spread from) in its body. While spreading, the virus compares a victim's e-mail address with this list, and does not send messages to addresses that are already infected.
As a side effect, it is possible to reconstruct the "virus spreading history" - from whence it has spread, and which computers were infected.
Payload
Depending on its internal counters, the virus runs itself by: gaining access to the Windows desktop and not allowing for mouse-access to the icons on the desktop. When the mouse cursor is moved to an icon, the virus moves the icon away from the cursor, appearing as though the desktop icons are trying to "escape" the mouse cursor.

One month after infecting the computer, the virus runs its payload routine that overwrites all disk files with the text "YOUARESHIT" on all local and network drives. Under Win9x, the virus also erases CMOS, Flash and hard drive data.
The virus then displays the message:
Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT

Home