Virus Database

VBS.Rabbit.b

Description VBS.Rabbit.b

This is a virus written in Windows Script language, and it is the first known virus of this type, appearing in October 1998. This virus are quite simple - just over 10 commands. It just searches for other script files in the current directory and overwrites them.
The virus do this by using DOS shell commands "find-and-copy-over" and overwriting all *.VBS (Visual Basic Script) files in the current directory.
This virus has a minor bug: when it is executed by a browser, the virus infects all files in the browser's cache and copies them to the computer's Desktop (since the browser's default directory is the Desktop). When this happens, the computer's Desktop becomes filled with the icons of the infected scripts (the virus replicates like a rabbit, which explains the basis for it's name - "Rabbit").
On the 15th of any month, the virus creates an URL file with the "CB.URL" or "The CodeBreakers.URL" name (depending on the virus version), and writes the URL reference there: "http://www.codebreakers.org". The major virus versions then also run a browser with this URL. While this is occurring, the virus also displays the following Message Box:
VBSv v1.1
by Lord Natas/CodeBreakers
The virus also contains the comments:
VBSv Version 1.1 by Lord Natas/CodeBreakers
First Windows Scripting Virus

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Plexus.b

Description I-Worm.Plexus.b

I-Worm.Plexus.b spreads via local networks and the Internet as an attachment to infected messages. It also spreads via file-sharing networks, and exploits a vulnerability in MS Windows LSASS. It is very similar to I-Worm.Plexus.a, with a few insignificant differences.
The worm is written in Microsoft Visual C++, and is 69632 bytes in size.
Installation
On launching, Plexus.b copies itself to the WindowsSystem32 folder under the upu.exe. It then installs a file named setupex.exe to the WindowsSystem32 folder, and a file named svchost.exe to the Windows root directory.
Setupex.exe is TrojanProxy.Win32.Webber.h, a Trojan proxy program. The program is writtten in Microsoft Visual C++, and is 47779 bytes in size. svchost.exe is the main module of Plexus.b. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16224 bytes in size and 57857 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
The worm registers this file in the system register auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
InternetServ=path to executable file
It also creates the mutex Expletus.b, to flag its presence in the system, ensuring that only one copy of the worm can be executed.
Propagation via local and file sharing networks.
The worm copies itself to the file-sharing folder and to all accessible network resources under the following names:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
ICQ04noimageCrk.exe
UnNukeit9xNT.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm is otherwise identical to I-Worm.Plexus.a

I-Worm.Pnguin

Description I-Worm.Pnguin

This worm spreads in e-mail messages and via IRC channels. It is related to the Angela multipartite virus, and IRC and e-mail compenents of the worm are detected as "Angela" components.
When run, the worm first of all copies itself to the Windows system directory with the hardcoded name:
C:WINDOWSSYSTEMPNGUIN.SCR
To send its copies in an e-mail message, the worm creates a TEMP.VBS file with an additional VisualBasicSctipt program and spawns it. The program in the script accesses MS Outlook, obtains address book records, and sends a worm copy (with PNGUIN.SCR name) to first 20 addresses that are found there. The message contains:
Subject: Finally found it!
Body: Here are the files you asked me forall
Attachment name: PNGUIN.SCR
The script then deletes its VBS file.
To infect IRC channels, the worm creates the SCRIPT.INI file in the C:MIRC directory. That script sends the PNGUIN.SCR file to all users that join the infected IRC channel.

Home