VBS.Mcon.b
Description VBS.Mcon.b
This worm spreads via networks, scanning them for accessible IP addresses and copies itself to them.
Being activated, the worm copies itself into the Windows fonts directory using the name "ttfload.vbs", and modifies the system registry to execute this file upon each Windows start-up. If a file has been activated from a folder other than "Fonts" or "Startup," the worm displays a false system-error message:
ERROR
FILE I/O ERROR
If the worm has been activated from a "Fonts" folder (upon Windows start-up), it runs a spreading routine.
This routine scans local hard drives and network disks. In each folder, it creates a copy of the worm's file. The created-file name the worm generates is as follows: it obtains a random file name from the recent file list, appends to its name to more than a hundred spaces and then appends the extension ".vbs". Thus, the true file extension ".vbs" is hidden with a large number of spaces.
After disk scanning is finished, the worm begins scanning the network for accessible IP addresses. It checks randomly generated IP addresses, and if the address is accessible, it tries to copy itself there.
If the worm finds the directory-contained string "mirc" in the name, it creates a SCRIPT.INI file in there. The script program in this file is automatically executed upon MIRC start-up. This script scans the network in the same way as the worm does. If an accessible IP address is found, it sends a worm copy to that address.
Depending on a randomly generated number in one case in a thousand, the worm replaces a browser's start page to "http://www.zonelabs.com/".
Check other viruses! Be aware! Use Antiviral Software
Klf.356
Description Klf.356
It is a memory resident harmless virus. It copies itself to Interrupt Vectors Table at address 0000:0200, hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text:
The KLF
Knight.1136
Description Knight.1136
It is a dangerous nonmemory resident overwriting virus. It searches for .COM files and overwrites them. This virus uses several levels of decryption, some parts of code are encrypted up to seven times. This virus uses anti-debug tricks, it contains the text strings and displays some of them:
Aspettami che arrivo
all you can be anything you want to be ...
*.COM
-KNIGHT-
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
CEGE TRANS CLAES ÖSTER AB
KEMPPI SVERIGE AB
Spiegelreflexkameras
Multimedia Soultions
India Calling Cards
|