Virus Database

VBS.Monopoly

Description VBS.Monopoly

Another Melissa-like worm. It spreads through e-mail using MS Outlook client. The main difference between the two worms is this one is written in Visual Basic Script instead of MS Office macro-language. Most of its code is encrypted to make analysis more difficult.
The virus arrives to a computer as an e-mail message with an attached "MONOPOLY.VBS" file. When this file (containing VBScript) is executed, it creates an image file "MONOPOLY.JPG" in a temporary folder. It also creates another two files "MONOPOLY.WSH" and "MONOPOLY.VBE". The VBE file contains encrypted VBScript and executes with a WSH file.
When VBE is executing, it displays the message:
Bill Gates is guilty of monopoly. Here is the proof

Then it displays picture from the image file. The picture shows Bill Gates' face on a Monopoly game board.
The worm's spreading routine is very close to the routine of "Melissa" virus. Worm sends itself to every address from the Outlook address book. The message contains the attached file "MONOPOLY.VBS".
Subject:
Bill Gates joke
Text:
Bill Gates is guilty of monopoly. Here is the proof. :-)

Warm also sends another message to the following addresses:
monopoly@mixmail.com, monpooly@telebot.com, mooponly@ciudad.com.ar,
mloponoy@usa.net, yloponom@gnwmail.com

In this message, the worm sends a list of names and addresses from an Outlook address book, ICQ UIN files and information obtained in the Windows registry:
Registered user name and organization
Network computer name
DVD region
Country and area code
Language
Windows version
Internet Explorer start page
After all this, the worm modifies the system registry:
"HKEY_LOCAL_MACHINESoftwareOUTLOOK.Monopoly" = "True"

In this way, the worm marks a computer and will not send messages from this computer next time.


Demonstrations of the virus effects:


monopoly.jpg

Check other viruses! Be aware! Use Antiviral Software

Tanya family

Description Tanya family
This virus corrupts the DRWEB.EXE anti-virus, and displays messages written in Russian. If a Windows NewEXE file is found (NE, PE), the virus overwrites it with a program that displays the following message:
This program must be run under OS/2.

The virus also contains the texts:
*.æ0M *.àòE
PATH=COMSPEC=OBSHCHESTVO=
DRWEB.EXE

Tarazona.985

Description Tarazona.985

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. On October 10 it displays the message and halts the computer:
Tranquilo chico que si no es en septiembre será en Junio :-)
Que los 12 créditos mínimos te acompañen
all..
by nEUrOtIc cPu cOrpOrAtIOn S.A.

The virus also contains the text:
Virus Tarazona_Killer por Nigromante

Home