Virus Database

VBS.Rabbit.a

Description VBS.Rabbit.a

This is a virus written in Windows Script language, and it is the first known virus of this type, appearing in October 1998. This virus are quite simple - just over 10 commands. It just searches for other script files in the current directory and overwrites them.
The virus do this by using DOS shell commands "find-and-copy-over" and overwriting all *.VBS (Visual Basic Script) files in the current directory.
This virus has a minor bug: when it is executed by a browser, the virus infects all files in the browser's cache and copies them to the computer's Desktop (since the browser's default directory is the Desktop). When this happens, the computer's Desktop becomes filled with the icons of the infected scripts (the virus replicates like a rabbit, which explains the basis for it's name - "Rabbit").
On the 15th of any month, the virus creates an URL file with the "CB.URL" or "The CodeBreakers.URL" name (depending on the virus version), and writes the URL reference there: "http://www.codebreakers.org". The major virus versions then also run a browser with this URL. While this is occurring, the virus also displays the following Message Box:
VBSv v1.0
by Lord Natas/CodeBreakers
The virus also contains the comments:
VBSv Version 1.0 by Lord Natas/CodeBreakers
First Windows Scripting Virus

Check other viruses! Be aware! Use Antiviral Software

JDC family

Description JDC family

These are nonmemory resident polymorphic parasitic viruses. They search for COM and EXE files in current and parent directories, then for the COMMAND.COM file and write themselves to the end of the file. While infecting files packed with PKLite the viruses patch PKLite entry code and write "JMP Virus" instruction into the middle of PKLite code.
The viruses use two levels of polymorphic encryption as well as anti-debugging tricks based on i386 features. Under debugger they display the message:
This program requires 80386 or better.

The viruses also contain the text strings:
A JDC PRODUCTION
~~TEMP~~.TMP
If you want to contact us, call:
809-5100 and 809-5031

JDC.6891
It is a very dangerous virus. On Thursday 13th it erases the hard drive and floppy disks sectors. On April 1st it overwrites the MBR of the hard drive with a program that displays on loading:
VI(RUS)
Insert system disk in drive C: and
press enter or space.

The virus also contains the text in Russian and in English:
This program is incompotible with PC-DOSall
MCS 1994
=========================================
.xXXxQEE.D-VersionxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision: 005
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
-----------------------------------------
This is D-VERSION!!! (Pre-release)
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.DVersion"
===[ T·H·E E·N·D ]====================================
*.CoM *.eXe .. COMSPEC=
---[ QEE 1.42 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

JDC.7616
It is not a dangerous virus. Depending on the system date and time the virus displays a picture containing the texts:
You have a VIRUS now
Press any key to continue
This program created special for ]/[ 2 /
Copr (c) 1997 JD

The virus also contains the text strings:
Sorry, there is a small error: this program
is incompotible with PC-DOS... :(
=========================================
.xXXxQEE.JV.Dr.WebxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision 004
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Future ]==========================================
You will see in next version:
- 2 new encryptors:
- RCG (Random Code Generator) [10% done]
- TTT (The Time Tracer) [ 0% done]
- More cool Windows'95 halter [ 0% done]
Possibly:
- Int 21h tracing
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.JV.DrWeb or QEE.JV.Anti95
or, in other case, QEE.AntiWin95. It is only first
virus from large family"
===[ Thanks ]==========================================
To: HR ( JDC ), VD (S&K, VI), DP (xxx), PP (xxx),
DZ ( P), ID ( P) and others...
===[ T·H·E E·N·D ]====================================
COMSPEC=C:COMMAND.COM
[ QEE 1.41 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

Jeff.812

Description Jeff.812

It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. On July, 7th it displays:
JEFF is visiting your harddiskall

and erases FAT of current disk.

Home