Virus Database

VBS.Kerza

Description VBS.Kerza

This virus is written in Visual Basic Script (VBS) and is installed on a users computer by I-Worm.Maldal. While starting, it searches in all local-disk subdirectories for the following extensions:
"htm","html","asp","lnk","zip","jpg","jpeg","mpg","mpeg","doc","xls","mdb", "txt","ppt","pps","ram","rm","mp3","mdb","swf"
and infectes them. The virus also deletes anti-virus files and sends messages by e-mail.
Installation
The virus copies iteself to the Windows System directory with the name "zacker.vbs". It also creates its component in the Windows System directory with the name: "dalal.htm".
Infecting files
The virus appends a script code to files with the following extensions: "htm","html","asp". The script code downloads a virus dropper from the Internet:
http://geocities.com/jobreee/main.htm
It deletes the files and makes its copy with the extension Oldname + ".vbs" for the following file extensions:
"lnk","zip","jpg","jpeg","mpg","mpeg","doc","xls","mdb", "txt","ppt","pps","ram","rm","mp3","mdb","swf"
Deleting files
The virus deletes all files in the drive with Windows for the following paths:
"program filescommand softwaref-prot95*.*"
"esafeprotect*.*"
"pc-cillin 95*.*"
"pc-cillin 97*.*"
"program filesquick heal*.*"
"program filesfwin32*.*"
"program filesfindvirus*.*"
" oolkitfindvirus*.*"
"f-macro*.*"
"program filesmcafeevirusscan95*.*"
"program files orton antivirus*.*"
" bavw95*.*"
"vs95*.*"
" escue*.*"
"program fileszone labs*.*"

It also deletes the directory:
"program fileszone labs"
Spreading in an e-mail message
The virus creates and runs, in the Windows System directory, its component file "outlook.vbs". This component sends a message to the all users from the Outlook address book. The messages contain the following:
Subject: Very important !!!
Body: See this page
http://geocities.com/Jobreee/main.htm


Other actions
The virus displays a dialogue message and reboots the PC. The message text is the following anti-Semitic text:
america will never survive till it dismisses jews from its land
jews bring disasters to any pll they live with
i dunno why they are still alive!!!
lets kill them one by one

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Smmd

Description Macro.Word.Smmd

The virus contains one macro that is names AutoOpen in documents and FileSaveAs in NORMAL.DOT. It infect the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs). While infecting the virus slightly modifies its code: it inserts into its source WordBasic code empty lines.
The virus contains the comments:
**********************************************************
WARNING: This is trivial example of Self Modifying Macro !
Only for evaluation purposes !
It is strongly prohibited to spread this macro !
The name for this shit must be "SMM_demo"
Do not use other name please !
----------------------------------------------------------
Name for this shit: "SMM_demo" research macro
Author: Unknown
date: Unknown
origin: Unknown
**********************************************************

Macro.Word.Snickers

Description Macro.Word.Snickers

This macro virus contains two macros: autoopen and autoclose. On AutoOpen it infects documents that are loaded into Word. After infection and on AutoClose the virus mixes the characters within current document. It also creates new variable in documents:
snickers=mmmhh

Home