Virus Database

BetaBoys Family

Description BetaBoys Family

These are parasitic viruses which infect COM-files at their ends.
BetaBoys.441
It's a harmless not memory resident virus. It searches for the .COM-files and infects them. It does not manifests itself, it contains the internal text strings:
-+( Severe Head-Ache Virus V2.oo )+-
Created by The Vile One & MaZ
Copyright (c)1992 The BetaBoys Development Corp.
-Sweden 04/19/92-

BetaBoys.450
It's a not dangerous memory resident virus. It copies itself into DOS system area, hooks INT 21h and hits .COM-files are executed. On execution of SCAN.EXE file the virus displays the message:
THE WORLD WiLL NEVER FORGETT US! -BetaBoys-

It contains the internal text also:
Blood Rage (c)1992 The BetaBoys

BetaBoys.459
It's a dangerous not memory resident virus. It searches for the .COM-files and infects them. It erases the disk sectors and deletes the files
c:autoexec.bat
c:config.sys
windowswin.com

It contains the text strings:
*.com C:Command.Com C:Autoexec.Bat C:Config.Sys windowswin.com
Why Windows (c)1992 MaZ / BetaBoys B.B

BetaBoys.457,538
These are dangerous not memory resident viruses. They search for .COM-files and infect them. On May, 12th and February, 25th they erase the disk C:, D: and E: sectors. "BetaBoys.538" is a encrypted virus. It contains the text strings:
*.COM
:+:+ The Data Molester Virus V1.oo +:+:
(c)1992 MaZ & The Vile One / The BetaBoys Development Corporation.

"BetaBoys.457" contains the text:
*.COM
-+( Severe Head-Ache Virus V2.oo )+-
Created by The Vile One & MaZ
Copyright (c)1992 The BetaBoys Development Corp.
-Sweden 04/19/92-

BetaBoys.575,615
These are dangerous memory resident encrypted viruses. On execution they copy themselves into the memory at the address 9000:0100 without MCB correction. It can cause the dangerous consequences. Then the viruses hook INT 21h and hit COM-files on their execution. They contain the internal text strings: "BetaBoys.575" -
Mexican Mud (c)1992 MaZ
The BetaBoys Development Corp.
+Sweden+

"BetaBoys.615" -
DEATH RATTLE V1.OO
(c)1992 The BetaBoys Development Corp.
+S+W+E+D+E+N+

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Runouce.a

Description I-Worm.Runouce.a
Runouce is a worm virus spreading via the Internet as an attachment to infected emails. Runouce also copies itself to shared network resources.
The Runouce worm is a Windows PE EXE file about 10KB in length and written in Assembly language.
Infected messages have the following properties:
Subject: Hi,i am %(Name of victim's computer)%
Attachment name: p.exe
The message body is blank.
To run from infected messages the worm exploits the IFRAME security breach.
Installation
The worm copies itself to the Windows System directory under the name "Runouce.exe" and then registers this file in the following registry auto-run key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Runonce = %System%Runouce.exe

%System% = the Windows System directory name.
When the Runouce is launched it creates a 'mutex' named "ChineseHacker" to avoid running multiple instances.
Spreading
The worm creates .EML files containing its copy in all available directories, and network resources, excluding the Windows directory. The name of the .EML files is the name of the victim's computer. For example, if the computer name is COMPUTER, the worm creates COMPUTER.EML files in that computer's directories.
Runouce searches for victim email addresses in WAB databases and files with .ADC and R.DB extensions on all available drives except the Windows directory, and sends infected messages to these addresses. To send infected messages, the worm directly accesses the SMTP server "btamail.net.cn".
Other
The Runouce worm searches for files with .EXE and .SCR extensions on all fixed and remote drives, except the Windows directory, and modifies their file access time data.
Runouce also closes programs with some Chinese titles (probably Chinese anti-virus programs).

I-Worm.Santa

Description I-Worm.Santa

This Internet virus-worm spreads via E-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to adresses that are stored in the MS Outlook Address Book.
The worm is written in the scripting language "Visual Basic Script" (VBS). It operates only on computers on which the Windows Scripting Host (WSH) is installed. In Windwos 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. That is available in Outlook 98/2000 only, so the worm is able to spread only in instance that one of these MS Outlook versions is installed.
The worm arrives to a computer as an e-mail message with an attached VBS file, which is the worm itself. The message in the original worm version reads as follows:
The Subject: News vom Weihnachtsmann [Name]
Message body:
Guten Tag, es ist bald Weihnachten. Und wie sieht's aus mit schönen Geschenken ? Hierzu ein Tip vom Weihnachtsmann: Unter www.leos-jeans.de gibt es die besten Geschenke im Web ! Das bedeutet absolut stressfreies Einkaufen, schnelle und unkomplizierte Lieferung, riesige Auswahl. Also nichts wie hin, und Frohe Weihnachten.
Attached file name: XMAS.VBS
Upon activation by a user (by double clicking on the attached file), the worm opens MS Outlook, gains access to the Address Book, obtains the first 50 addresses from each address list and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
The original worm version does not have any payload.

Home