Virus Database

Suicide.2048

Description Suicide.2048

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM and EXE files, then writes itself to the end of the file. It contains the text strings:
*.COM *.EXE ..
[Suicide]
Written by Dark Angel of PHALCON/SKISM
Ross M. Greenberg blows goats.

Sometimes it displays:
Your PC has been infected by the Suicide virus.
I would disinfect myself, but I despise DOS 2.X
Upgrade now! Brought to you by PHALCON/SKISM

It also display a picture with the text:
Your PC has been infected by the Suicide virus.
I will now kill myself. Press D to disinfect.
Hard at work to make your life
a living hell

and waits for a keystroke. In case of 'D' key this virus disinfects the infected file.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Plexus.b

Description I-Worm.Plexus.b

I-Worm.Plexus.b spreads via local networks and the Internet as an attachment to infected messages. It also spreads via file-sharing networks, and exploits a vulnerability in MS Windows LSASS. It is very similar to I-Worm.Plexus.a, with a few insignificant differences.
The worm is written in Microsoft Visual C++, and is 69632 bytes in size.
Installation
On launching, Plexus.b copies itself to the WindowsSystem32 folder under the upu.exe. It then installs a file named setupex.exe to the WindowsSystem32 folder, and a file named svchost.exe to the Windows root directory.
Setupex.exe is TrojanProxy.Win32.Webber.h, a Trojan proxy program. The program is writtten in Microsoft Visual C++, and is 47779 bytes in size. svchost.exe is the main module of Plexus.b. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16224 bytes in size and 57857 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
The worm registers this file in the system register auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
InternetServ=path to executable file
It also creates the mutex Expletus.b, to flag its presence in the system, ensuring that only one copy of the worm can be executed.
Propagation via local and file sharing networks.
The worm copies itself to the file-sharing folder and to all accessible network resources under the following names:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
ICQ04noimageCrk.exe
UnNukeit9xNT.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm is otherwise identical to I-Worm.Plexus.a

I-Worm.Pnguin

Description I-Worm.Pnguin

This worm spreads in e-mail messages and via IRC channels. It is related to the Angela multipartite virus, and IRC and e-mail compenents of the worm are detected as "Angela" components.
When run, the worm first of all copies itself to the Windows system directory with the hardcoded name:
C:WINDOWSSYSTEMPNGUIN.SCR
To send its copies in an e-mail message, the worm creates a TEMP.VBS file with an additional VisualBasicSctipt program and spawns it. The program in the script accesses MS Outlook, obtains address book records, and sends a worm copy (with PNGUIN.SCR name) to first 20 addresses that are found there. The message contains:
Subject: Finally found it!
Body: Here are the files you asked me forall
Attachment name: PNGUIN.SCR
The script then deletes its VBS file.
To infect IRC channels, the worm creates the SCRIPT.INI file in the C:MIRC directory. That script sends the PNGUIN.SCR file to all users that join the infected IRC channel.

Home