Virus Database

VBS.Hard

Description VBS.Hard

This is an Internet-worm written in Visual Basic Script language (VBS). It spreads using MS Outlook Express.
This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook Express and sends itself to all addresses stored in the Windows Address Book. As a result, an infected computer sends as many messages to as many addresses kept in the Windows Address Book.
It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default.
The worm arrives to a computer as an e-mail message with the attached file "www.symantec.com.vbs" that is the worm itself.
The infected message in the original worm version contains:
Subject = "FW: Symantec Anti-Virus Warning"
Body = ----- Original Message -----
From: [warning@symantec.com]
To: [supervisor@av.net]; [security@softtools.com];
[mark_fyston@storess.net]; [directorcut@ufp.com];
[pjeterov@goldenhit.org>; [kim_di_yung@freeland.ch];
[james.heart@macrosoft.com]
Subject: FW: Symantec Anti-Virus Warning

Hello,
There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!

Symantec has first noticed it on April 04, 2001.

The attached file is a description of the worm and how it replicates itself.

With regards,
F. Jones
Symantec senior developer
Upon activation, the worm creates a fake Symantec virus information page about the non-existing virus "VBS.AmericanHistoryX_II@mm" and displays it. Then it creates several files that are used later for spreading.
The first file is named "c:www.symantec_send.vbs" containing Visual Basic Script that instructs MS Outlook Express to send infected messages to all of the addresses in the Windows Address Book.
The second file "c:message.vbs" contains Visual Basic Script that on November 24th, displays the following message:
Some shocking news
Don't look surprised!
It is only a warning about your stupidity
Take care!
Both of these files are registered by the worm in the system registry in the autorun section. Thusly, these scripts gain control upon each Windows startup.
The worm also registers a fake-virus information page as the start page of Internet Explorer.
To avoid duplicate spreading from the same machine, the worm creates "HKLMSOFTWAREMicrosoftWABOE Done" in the system registry key and sets its value to "Hardhead_SatanikChild". In this way, it does not spread from the same machine twice.

Check other viruses! Be aware! Use Antiviral Software

Pro-Alife.3423

Description Pro-Alife.3423

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. When a program is terminated, it displays one of the messages:
Kill an evil satanic ANTI-VIRAL product for Jesus today!
Stop Disinfectants NOW!
Ain't aLife A Beautiful Choice?
And God Said, "Let There Be Life!", and there wasall..
Save the Viruses! They're People Too!!!!
PRO-aLIFE and PROUD! STOP THE VIRUS KILLERS! HALT THE AV!
STORM THE COMPU-CLINICS! DON'T LET THEM KILL THE VIRUSES!!!
Operation Rescue-II, Save the HELPLESS UNBORN Viruses!!!

When the anti-virus programs are executed:
F-PROT.EXE TBSCAN.EXE TBAV.EXE TBCLEAN.EXE SCAN.EXE CLEAN.EXE VIRSTOP.EXE
MSAV.EXE VSAFE.EXE CPAV.EXE FSP.EXE VDEFEND.EXE

the virus overwrites them with the trojan program that displays being executed:
Eddie Lives, Somewhere in time! ____________ 1704 Jerusalem
Casino :( ;( =( Smeg off! _____ ____ Frodo Lives! APRIL FOOLS!
Get a late pass! Datacrime _______________ Brain Void-Poem
Your PC is now STONED! __ OO _____ O _ Copy me, I want to travel!
1,000,000,000 Viruses DIED Today!
And yesterday, and more will die tomorrow!
_/\_STOP THE KILLING!_/\_
Look What You're Doing To Them!
Below is an aborted virus... Support PRO-aLIFE Activism!
This program has been TERMINATED by the Virus Survival Underground Movement.
It had long stood as a horrible BABY VIRUS KILLER, and had to be removed.
Life, What a Beautiful Choice (tm).
--==___[OPERATION RESCUE II - SAVING THE BABY VIRUSES!]___==--
Thank you for choosing life over destruction.
Have a Nice Day (tm).

"Pro-Alife.3423.b" displays the messages:
THE PREDATOR presents the J.TTPOG Virus (c) 1996 SWEDEN!!!!!
THE PREDATOR presents the _ _ _
J.TTPOG VIRUS (c) 1996/03/15 _ _ _
SWEDEN _____ _
And says _ _ _ _ _ _

Probe.2140

Description Probe.2140

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files (except COMMAND.COM) that are executed. The virus also infects the files on the current disk:
DOSSMARTDRV.EXE WINDOWSSMARTDRV.EXE DOSDOSKEY.COM DOSKEYB.COM

In December from 1st to 5th the virus displays the message:
Please wait, Smartdrive is checking your disk structure.
Warning, interrupting this task could cause disk damage !

then erases the hard drive sectors, and then displays:
Oh, you are using MS-DOS. Now you see what you have got !
Greetings from Bill Gates all

The virus also contains the text strings:
.EXE.COMCOMMAND.COMMSDOS
Imperial Probe V 1.09

Home