Virus Database

Trojan.Win.BadSector

Description Trojan.Win.BadSector

This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses the network and sends random messages to the Internet.
When run for the first time, the Trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section:
SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exe

The Trojan then terminates with no side effects. On the next rebooting, the Trojan stays in Windows memory as a hidden task, sleeps and periodically initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for sending messages.
The messages have randomly selected addresses, subject and data. The "Mail From" address is randomly constructed from the following parts:
prodigy compuserve kurva putka gerry tetra europe amstel usa bulgaria badsector hacker omega vali-pedali eunet digsys
main vt linux aix unix mail www host abc server veliko-tar
com edu org mil gov net bg tr gr uk ca ro jp
The "RCPT To" address is randomly selected from the following variants:
gerry@tetra.bg
administrator@tetra.bg
tetranet@tetra.bg
root@vt.bitex.com
peterc@vt.bitex.com
ivanp@vt.bitex.com
root@tarnovo.eunet.bg
master@tarnovo.eunet.bg
webmaster@tarnovo.eunet.bg
root@server.vt.bia-bg.com
webmaster@mail.vt.bia-bg.com
webmaster@tetra.bg

The subject is randomly selected from the following variants:
Ha-ha-ha
Bad Sector wi razkaza igrata :))
Greetings from Bad Sector ! Po-zdrawi
Vleze li wi sega?
Re
Hi, kak e?
Ko staa, ima problemi li
Bad Sector
Kogato grum udariall
etc.

The sentences of the message body are randomly constructed from a large set of verbs, words and sub-sentences, partly they are rude ones, mostly they are in Bulgarian. There is no reason to list them all here.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.MDMA

Description Macro.Word.MDMA

Macro.Word.MDMA is an encrypted virus, it contains only one macro AutoClose and infects the system and files on closing a file.
On 1st of any month the virus corrupts the files depending on the installed system and then display the message box with the text:
MDMA_DMV
You are infected with MDMA_DMV.
Brought to you by MDMA (Many Delinquent Modern Anarchists).

Under Windows the virus deletes the C:SHMK file and overwrites the C:AUTOEXEC.BAT with the commands:
@echo off
deltree /y c:
@echo You have just been phucked over by a virus

As a result after rebooting all files in all subdirectories will be deleted.
Under Windows NT the virus deletes all files in the root directory as well as the C:SHMK file.
Under Macintosh the virus deletes the files in system directory(?).
Under other systems (Windows 95) the virus deletes the C:SHMK file and all *.HLP files in C:WINDOWS directory. The virus then sets some private profile strings and deletes all *.CPL files in C:WINDOWSSYSTEM directory.

Macro.Word.Meldung

Description Macro.Word.Meldung

This virus contains three macros:
Documents NORMAL.DOT
A1 DateiSpeichernUnter
AutoOpen AO1
B1 AutoExec

The virus infects the global macros area on opening an infected document (AutoOpen) and infects documents on saving them with new names (DateiSpeichernUnter - FileSaveAs).
On the 17th of any month the virus displays the MessageBox:
Meldung!
Dark Tremor Virus Copyright 1998 by Dark Tremor

Home