Virus Database

Tony.338

Description Tony.338

It is a very dangerous memory resident parasitic virus. It copies itself into the Interrupt Table, hooks INT 21h and infects COM files that are executed or loaded into the memory. While infecting a file it writes itself into the zero-bytes area in that file (if that area presents there). Under some conditions it can infect the files in incorrect way, these files are not recoverable and halt the system on execution. The virus contains the text string:
Tony

Check other viruses! Be aware! Use Antiviral Software

I-Worm.MyLife.b

Description I-Worm.MyLife.b

The Internet worm MyLife.b is a worm virus being spread via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 11Kb in length, written in Visual Basic. It is compressed by UPX, its decompressed size is about 32Kb.
The infected e-mail messages have the following properties:
Subject:
bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy ========No Viruse Found======== MCAFEE.COM --------------------------------------------------------
Attachment:
CARI.SCR
Screen shot of infected MyLife.b e-mail:

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself into the system and runs its spreading routine.
When the worm is launched for the first time it shows a window with a picture.

Installing
While installing the worm copies itself to the Windows system directory with the name "cari.scr" and registers this file in the system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun win=%SYSTEM%cari.scr
%SYSTEM% is the Windows System directory.
Spreading
To send infected messages the worm uses Microsoft Outlook, it sends messages to all addresses found in the Microsoft Outlook Address Book. The worm also gets victim e-mail addresses from MSN Messenger e-mail base.
Payload
Once installed in the system (after Windows reboot following infection) the worm checks the current date, if the current hour value is 8, the worm executes its payload routine, deleting the following files:

c:*.*
d:*.*
e:*.*
f:*.*
Also deleted are: *.sys files in the Windows directory and *.vxd, *.sys, *.ocx, and *.nls files in the Windows system directory.

I-Worm.MyLife.b

Description I-Worm.MyLife.b

MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:


While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 11Kb.
Decompressed file size : about 32Kb.
Email content:
Subject:
bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? Ok
buy
========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attachment name: cari.scr
File name in the infected system:
%SystemDir%cari.scr
Affected registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
win=%SystemDir%cari.scr

Visual effect: when MyLife is launched for the first time, it displays a window with a picture. When this window is closed the worm runs its payload.
Payload: MyLife checks the current date, if the current hour value is equal to 8, the worm executes its payload routine:
MyLife deletes all files with the extensions .SYS in the Windows directory, files with the extensions .SYS, .VXD, .OCX, .NLS in the Windows System directory and all files in the C:, D:, E: and F: root directories.

Home