Virus Database

SuiGeneris.577

Description SuiGeneris.577

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. The virus has a bug and may corrupt files while infecting them. Depending on the system timer the virus displays the message:
Virus SUI GENERIS. Escrito por Javier en Paraguay.
Dedicado al gran grupo de rock argentino SUI GENERIS.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Pepex.a

Description I-Worm.Pepex.a
"Pepex" is a worm virus spreading via the Internet as an attachment to infected emails and also through the Kazaa network and IRC channels.
The worm itself is a Windows PE EXE file about 32KB in length (when compressed by UPX, the decompressed size is about 80KB). "Pepex" is written in Microsoft Visual C++.
Infected messages have the following message field attributes:
From: "Microsoft" < information@microsoft.com >
Reply-To: "Microsoft" < microsoft@microsoft.com >
Subject: Internet Explorer vulnerability patch
Body: You will find all you need in the attachment.
Attach: setup.exe

The worm activates from infected emails only when a user clicks on the attached file. 'Pepex' then installs itself to the system and runs its spreading routines.
Installing
While installing, the worm copies itself to the Windows system directory with the winsys???.exe name (where '???' is a random three-digit number) and registers this file in the system registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Windows task32 sys = %SystemDir%winsys???.exe

Above, %SystemDir% represents the Windows System directory path.
The worm then creates a ZIP archive with its "winsys???.exe" copy inside. The archive is created with the help of the WinZip32 utility (if it is installed). The archive name is "win32sys???.zip" (where '???' is the same random number). This archive is used later to spread through IRC channels.
The worm also creates a system registry key to mark already infected systems:
HKEY_LOCAL_MACHINESoftwareRedCell
infected = yes
The worm also looks for active processes that have "AV" or "av" letters in their names (anti-virus programs) and tries to terminate them.
Spreading: EMail

To send infected messages the worm uses a direct connection to an SMTP server (if it is registered), or to the "smtp.barrysworld.com" server. To get victim emails the worm scans files with the ".htm" extension in the "Temporary Internet Files" directory. While spreading the worm also creates a file named C:Msbootlog.sys to where its MIME encoded copy is written.
Spreading: IRC

The worm creates the SCRIPT.INI file in mIRC directory and writes a command to it. This command sends infected "win32sys???.zip" file (see above) to IRC users that join infected channel.
Spreading: Kazaa

The worm copies itself to Kazaa directory with a randomly selected name:
icq2002.exe
wincrack.exe mirc6.exe

Other
After installation the worm displays a fake error message:

I-Worm.Petik

Description I-Worm.Petik

This is an Internet worm that spreads as an 8Kb MADCOW.EXE file attached to e-mail messages. To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.
First Run
When the worm is started for the first time (if a user clicks on the EXE attachment to the message, or accepts an IRC download), the worm copies itself to two files:
the Windows system directory with Wininet32.exe name

the Windows directory with MadCow.exe name
and registeres a MadCow.exe file in the auto-run section:
in the WIN.INI file, [windows] section, "run=" key - under Win9x
in the system registry in "Run=" key - under WinNT
The worm then creates a C:WIN32 directory and creates two files here (DOS batch file and VBS script program):
ENVOIE.BAT - it just spawns an ENVOIE.VBS file (next file)
ENVOIE.VBS - this script spreads the worm with infected messages
While spreading, the script connects to MS Outlook and sends infected e-mail messages to all addresses in the MS Outlook Address Book. The messages contain the following:
Subject: Pourquoi les vaches sont-elles folles ?
Body: Voila un rapport expliquant la folie des vaches
Attachment: MadCow.exe
Second Run
Upon the next start (next Windows restart), the worm creates its copy with the MadCow.exe name in the C:WIN32 directory, and then infects an mIRC client in the following directories:
C:MIRCC:MIRC32C:Program FilesMIRC
C:Program FilesMIRC32
The infected mIRC client sends a worm copy (MadCow.exe file) to all users that join the infected channel.
Other
The worm creates the registry key: HKLMSoftware[Atchoum]
If there is no mIRC client found in the system, the worm creates the MSLS.ICO file in the Windows system directory, writes there an image of imp (devil) and registers as a standard icon for EXE files.
The worm also contains the following text stings in its body:
IWorm.MadCow par PetiK (c)2000
I Love You Maya / Je t'aime

Home