Virus Database

VBS.Kerza

Description VBS.Kerza

This virus is written in Visual Basic Script (VBS) and is installed on a users computer by I-Worm.Maldal. While starting, it searches in all local-disk subdirectories for the following extensions:
"htm","html","asp","lnk","zip","jpg","jpeg","mpg","mpeg","doc","xls","mdb", "txt","ppt","pps","ram","rm","mp3","mdb","swf"
and infectes them. The virus also deletes anti-virus files and sends messages by e-mail.
Installation
The virus copies iteself to the Windows System directory with the name "zacker.vbs". It also creates its component in the Windows System directory with the name: "dalal.htm".
Infecting files
The virus appends a script code to files with the following extensions: "htm","html","asp". The script code downloads a virus dropper from the Internet:
http://geocities.com/jobreee/main.htm
It deletes the files and makes its copy with the extension Oldname + ".vbs" for the following file extensions:
"lnk","zip","jpg","jpeg","mpg","mpeg","doc","xls","mdb", "txt","ppt","pps","ram","rm","mp3","mdb","swf"
Deleting files
The virus deletes all files in the drive with Windows for the following paths:
"program filescommand softwaref-prot95*.*"
"esafeprotect*.*"
"pc-cillin 95*.*"
"pc-cillin 97*.*"
"program filesquick heal*.*"
"program filesfwin32*.*"
"program filesfindvirus*.*"
" oolkitfindvirus*.*"
"f-macro*.*"
"program filesmcafeevirusscan95*.*"
"program files orton antivirus*.*"
" bavw95*.*"
"vs95*.*"
" escue*.*"
"program fileszone labs*.*"

It also deletes the directory:
"program fileszone labs"
Spreading in an e-mail message
The virus creates and runs, in the Windows System directory, its component file "outlook.vbs". This component sends a message to the all users from the Outlook address book. The messages contain the following:
Subject: Very important !!!
Body: See this page
http://geocities.com/Jobreee/main.htm


Other actions
The virus displays a dialogue message and reboots the PC. The message text is the following anti-Semitic text:
america will never survive till it dismisses jews from its land
jews bring disasters to any pll they live with
i dunno why they are still alive!!!
lets kill them one by one

Check other viruses! Be aware! Use Antiviral Software

SP

Description SP

It is not a dangerous memory resident stealth boot virus. It hooks INT 13h and writes itself to the MBR sector of the hard drive and boot sector of floppy disks that are accessed. The virus detects the already infected sectors by the ID-string "SP". The virus does not manifest itself in any way.

SP3

Description SP3

It is a very dangerous memory resident boot virus. It hooks INT 13h, 16h and writes itself to the boot sector of floppy disks and to the MBR of the hard drive. Because of an error the virus may corrupt data on floppy disks while infecting them. Depending on its counters that are increased on any keystroke (INT 16h) the virus disables writing to disks. That may corrupt disk files. The virus contains the text string: "SP3".

Home