Virus Database

Tox.279.a

Description Tox.279.a

This is a harmless non memory-resident encoded virus.
The virus searches for COM files, and then writes itself to the end of files.
The virus can contain the following text:
(x)VAMPiR0

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Melare

Description I-Worm.Melare
Melare is a worm virus spreading via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 6KB in length when compressed by UPX, the decompressed size is about 15KB. It is written in Visual Basic.
The worm activates from infected email only if a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG name. As a result the infected .EXE file is displayed as a .JPG image file (picture), though upon opening this attachment it is executed as true EXE file. When launched from MS Outlook 97 SP2 such attached files are blocked (in the default mode).
The worm then installs itself into the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory under the name csrss.EXE and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SystemSARS32 = %WindowsDir%csrss.EXE

Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:

The beginning of the message body text may be covered by a "JPG attach" icon.
Payload
On the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases this would be the Windows directory).

I-Worm.Melting

Description I-Worm.Melting

This is a virus-worm that spreads via the Internet. The worm itself is a Win32 PE EXE file about 18Kb in length, and it is written in VisualBasic. It is transferred via the net in e-mail messages with infected attachments with the "MeltingScreen.exe" name.
When an infected message is received and the attached EXE file is executed, the worm gains control and starts its spreading routine. This routine connects to MS Outlook, enters the address book, obtains Internet addresses from there and sends messages by using these addresses.
The messages have a copy of the worm in the attachment with the Subject "Fantastic Screensaver", and the message body appears as follows:
Hello my friend !
Attached is my newest and funniest Screensaver, I named it MeltingScreen.
Test it and tell me what you think.
Have a nice day my friend.
p.s.: Please install the Runtime Library for VB 5.0, before you run the ScreenSaver.

The worm then gains access to the Windows directory and renames all EXE files there with a BIN extension.
The worm has bugs and often hangs a computer when run.
The worm actually has screen-saver ability. After spreading and renaming EXE files to BIN, it "melts" the screen.

Home