Virus Database

Tigre.1800.a

Description Tigre.1800.a

This is a benign memory-resident encrypted parasitic virus. It hooks INT 9, 21h, and writes itself to the end of COM and EXE files that are executed or opened.
The virus deletes the files:
C:CHKLIST.MS
C:CHKLIST.CPS
C:ZZ##.IM
anti-vir.dat
ANTI-VIR.DAT
In October, 21th when "Del" key is pressed, the virus displays the message:
Virus TIGRE v1.0 - (c) 1995
Escrito por El Cancerbero [DAN]
17/02/95 - Argentina
It also contains the text string:
DIGITAL ANARCHY

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Blebla.a

Description I-Worm.Blebla.a

This is a worm virus spreading via the Internet. It was discovered in Poland on November 16, 2000. The worm appears as an e-mail message that has the HTML format and has two attached files: MYJULIET.CHM and MYROMEO.EXE.
When an infected message is opened, the HTML part of it is executed. This part contains a script program that is automatically activated by Windows. By using a vulnerability in Windows scripting, the script program loads and activates the CHM component of the message (the MYJULIET.CHM file). That CHM component is a Compressed HTML page itself and contains one more script program in it. That second script executes the MYROMEO.EXE file, which is the main worm body itself.
So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself, the worm uses a vulnerability in Windows scripting security: the worm's HTML component is able to run a EXE component by a method that is listed in "save scripting," so no warning messages are displayed when the worm runs its components (under default Windows settings).
The main worm component (MYROMEO.EXE file) is a Windows PE executable file about 30Kb in length. This file is compressed by a UPX compression utility. Being unpacked, it appears to be a 70Kb EXE file written in Delphi, and the "pure" code in the file occupies just about 6Kb.
When it is run, it opens the Windows Address Book, reads E-mail addresses from there and sends its HTML message with attached CHM and EXE files there. The message has a Subject that is randomly selected from the following list:
Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorryall
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under some Windows98/NT English editions. The worm also is able to spread only in case Windows is installed to C:WINDOWS directory (that is hardcoded in worm code).
Blebla.b
A remake of original worm. When starts it copies itself to system with "c:windowssysrnj.exe" name and creates and modifies many Registry key to activate this copy:
HKEY_CLASSES_ROOT njfile
DefaultIcon = %1
shellopencommand = sysrnj.exe "%1" %*
this key caused worm copy run when "rnjfile" is referred. Then the worm modifies key:
HKEY_CLASSES_ROOT .exe = rnjfile
.jpg = rnjfile
.jpeg = rnjfile
.jpe = rnjfile
.bmp = rnjfile
.gif = rnjfile
.avi = rnjfile
.mpg = rnjfile
.mpeg = rnjfile
.wmf = rnjfile
.wma = rnjfile
.wmv = rnjfile
.mp3 = rnjfile
.mp2 = rnjfile
.vqf = rnjfile
.doc = rnjfile
.xls = rnjfile
.zip = rnjfile
.rar = rnjfile
.lha = rnjfile
.arj = rnjfile
.reg = rnjfile
these keys cause worm copy start when any of files listed above are opened.
The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" [romeo@juliet.v]
Subject:[Romeo&Juliet] R.i.P.
While sending its copies to personal address the worm uses empty Subject, random generated Subject, or one from the list:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:
Depending on some conditions the worm also created disk directories with random name in Recycled folder and creates random named files in there.

I-Worm.Borzella

Description I-Worm.Borzella

I-Worm.Borzella is a worm virus spreading via the Internet in an infected file attached to e-mails.
The worm itself is a Windows PE EXE file about 50Kb in length and written in Microsoft Visual C++.
The infected messages have Subject/Body/Attachment names that are randomly selected from three variants each.
Infected messages contain:
Subject:
Storielle..
Leggete urgentemente questa e-mail!! (se avete tempo da perdere)
Divertimento assicurato..

Body:
Ciao, guarda l'allegatoall ti potrebbe interessare.
Ciao, devi assolutamente vedere il file che ti ho allegato.
Ciao, dai un'occhiata all'allegato e ti farai due risate ;-)

Attach:
bar.exe
pippo.exe
porkis.exe

Messages displayed by the Borzella virus:







On September 6 Borzella will put forth the following message:

The worm activates only when a user clicks on the attached file. Once this is done the worm then installs itself into the system, runs a spreading routine and delivers its payload.
Installing

While installing the worm copies itself into the Windows directory with the dllmgr.exe name and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Dll Manager = %WinDir%dllmgr.exe
The worm then displays the following messages:
Quiz Cosa dice un vettore ad un altro?
Risposta ...Scusa, hai un momento?...
Barzelletta
Sai chi e il fratello di Giorgio Armani?
Risposta
...Emporio!
Quiz
Ti trovi al volante della tua auto e circoli ad una velocitÁ costante.
Alla tua sinistra c'e un precipizio.
Alla tua destra un camion dei pompieri che viaggia esattamente alla tua stessa velocitÁ.
Davanti a te cavalca un maiale visibilmente piu grande della tua macchina.
Dietro di te ti segue un elicottero che vola raso terra.
Gli ultimi due, anch'essi alla tua stessa velocitÁ.
Che fai per fermarti?

Risposta
...scendi dalla giostra,imbecille!!!
Cavolata finale
Gesu ai discepoli: 'In veritÁ, in veritÁ vi dico: y=x^2-4x+7'.
I discepoli commentano un po' fra di loro, poi Pietro si avvicina mestamente a Gesu, dicendogli:

'Maestro, perdonaci, ma non comprendiamo il tuo insegnamento...'

On September 6th the worm also displays the message:

Accadde il 6 settembre
Attenzione signori!!!
Oggi non e' mica un giorno fesso come gli altri: spegnete il computer e uscite,godetevi la vita,abbracciate e baciate la persona a voi piu' cara.
Viva l'amore.
;-)

Spreading
To send infected messages the worm uses a direct connection to the SMTP server. To get victim email addresses the worm opens and scans the Windows Address Book (WAB).

Home