Virus Database

StalkerX Constructor

Description StalkerX Constructor

StalkerX is a virus constructor that generates simple NewEXE (Windows) viruses. The viruses are named after the text that is included in the distribution package:
Create your own Windows
virus! This is a EASY
to use Windows Virus
creation kit.
Written By Stalker X

These viruses search for NewEXE files, and write themselves to the end of the file. Depending on their "generation" these viruses fill the screen with random data.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sexer.b

Description I-Worm.Sexer.b
The Sexer.b Internet worm spreads via the Internet as an infected email attachment file named, KAVUtil.exe. The worm's code is written in Delphi, has a file size of 310KB and is compressed with PKLite32.
The infected file contains the following text (in Russian):

Sender address: support@kaspersky.com
Subject: õÔÉÌÉÔÁ ÄÌÑ ×ÙÑ×ÌÅÎÉÑ É ÕÄÁÌÅÎÉÑ ÐÏÞÔÏ×ÏÇÏ ÞÅÒ×Ñ I-Worm.Sexer

Message text:
÷ Ó×ÑÚÉ
Ó ÐÏÑ×ÌÅÎÉÅÍ × óÅÔÉ ÎÏ×ÏÇÏ ÐÏÞÔÏ×ÏÇÏ ÞÅÒ×Ñ I-Worm.Sexer ÐÒÅÄÌÁÇÁÅÍ
÷ÁÍ ÕÔÉÌÉÔÕ ÄÌÑ ×ÙÑ×ÌÅÎÉÑ É ÕÄÁÌÅÎÉÑ ÜÔÏÇÏ ÞÅÒ×Ñ ÉÚ ÓÉÓÔÅÍÙ.
ïÐÉÓÁÎÉÅ I-Worm.Sexer ÄÏÓÔÕÐÎÏ × ÷ÉÒÕÓÎÏÊ üÎÃÉËÌÏÐÅÄÉÉ ëÁÓÐÅÒÓËÏÇÏ ÐÏ ÁÄÒÅÓÕ:
http://www.viruslist.com/viruslist.html

file attachment: KAVUtil.exe

The Sexer worm only gains control if the attached file is opened (run).
Spreading
Sexer copies itself to the Program FilesCommon Filessystem directory under the name KAVUtil.exe and then registers itself in the system registry auto-run key with the following entry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
KAVUtil = kavutil.exe

Sexer then creates the file KAV.bmp in the Program FilesCommon Filessystem directory. The system then installs this file as the desktop background image.
The worm searches the system registry for the key:

SoftwareMicrosoftWABWAB4Wab File Name

Sexer then sends itself out to all the email addresses found in the email client's address book. To physically mail itself, Sexer makes a direct connection with the SMTP server.

I-Worm.Shatrix

Description I-Worm.Shatrix

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm also spreads over a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb in length, and is written in Delphi.
Infected messages contain:
Subject: FW:Shake a little
Body: Hi !
This will shake your world :-)
Regards,
%username%
Attachment: SHAKE.EXE

Where %username% is the name of the infected-machines's user.
The worm is activated from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
While installing, the worm copies itself to the Windows system directory with a random name, and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SystemInfo = %worm file name%
To send infected messages, the worm uses MS Outlook MAPI. To obtain victim addresses, the worm looks for and scans the following files:
*.asp *.html *.htm
Depending on the system date, the worm creates random directories, and drops HTML files with texts randomly constructed from the following strings:
MatriX is out there
MatriX has Youall
MatriX is All around You
01001101011000010111010001110010011010

Home