Virus Database

Urfin.317

Description Urfin.317

It's a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are executed. It contains an internal text string in Russian.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Vybab

Description I-Worm.Vybab

This worm spreads via the Internet as an attachment to infected messages. It can also infect EXE files.
It is a PE EXE file written in Borland Delphi and is approximately 140 KB in size.
Installation
When installing itself to the system, the worm creates a file named 123.txt in the Windows directory. This file contains the following text string:
babyv ; made of Ran
It also creates files in the root directory and the Windows directory. The names of these files are created from three random characters and one of the following extensions:
bat
exe
htm
rar
doc
xls
These files do not contain the body of the worm.
The worm copies itself to a temporary file named seeyou.rar in the C: root directory.
It also creates a file named echo.vbs in the Windows temporary directory. This file contains the script which enables the worm to propagate via email.
Propagation via email
Each time the worm or one of the infected files is launched, the worm sends itself to all addresses in the MS Outlook address book. Infected emails have the following characterstics:
Message header:
Microsoft Pack3, ;o)
Message text:
Hi:
This is Microsoft client server center
Check This!
Infecting EXE files
When the worm is launched for the first time, it infects EXE files located in the Program Files directory, and in the directory which the worm was launched from. It writes itself to the beginning of those files.
After this the worm searches all directories on all accessible drives and infects all EXE files found.
When an infected file is launched, the virus copies itself into the root directory of every available drive and sends itself via email. The original uninfected file is saved in the Windows temporary directory and will re-establish control once the worm finishes the infection process.

I-Worm.Wallon.a

Description I-Worm.Wallon.a

Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:
<HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial size=2><BR>
<A href="http://drs.yahoo.com/[recipient domain]/NEWS/
*http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/[recipient domain]/NEWS">
http://drs.yahoo.com/[recipient domain]/NEWS
</A></FONT></DIV></BODY></HTML>
A screenshot of the infected message follows:

When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCUSOFTWAREMicrosoftInternet ExplorerMain]
"Wh" = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server.

Home