Virus Database

VBS.TripleSix

Description VBS.TripleSix

This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed the worm script displays the message:
Does your name add up to 666?
This handy little tool will tell you what your name adds up to in ASCII
characters (without including spaces and without converting numbers to
ASCII). It is just for fun, it does not mean you are going to go to hell
if you get a 666. You should probably read the bible if you are concerned
about that.

Then it asks user for names and counting sum of ASCII codes of characters in entered text:
Does your name add up to 666?
Enter your name. Also try names from your family and friends. And if you
want something interesting try BILL GATES 3 (Bill's real name is Bill
Gates the third) and HOLY BIBLE. Press Cancel or Ok without entering any
name to exit.

When empty text is entered the worm proceed to its spreading routine. At first this routine creates zipped archive with itself inside. To create archive the worm uses "pkzip" utility stored inside worms body in text-based-encrypted format and decripts it before executing. Then the worm places created archive in Windows directory with name "666TEST.ZIP".
Another file that the worm creates is "REGSVR.VBS" in the Windows system folder. The worm modifies system registry to execute this script every Windows startup.
Being executed this script enumerates all disk drives on the computer and checks following folders on them:
MIRC
MIRC32
PIRCH
PIRCH98

If inside checking folder or its subfolders where is MIRC or PIRCH (popular IRC clients) executable files, the worm creates script for found IRC client that sends 666TEST.ZIP file with worm inside to every joined to IRC channel.
It also checks system date and on fifth of every month changes desktop wallpaper with tiled cartoon picture of sad face.
At last the worm attepts to spread via e-mail using MS Outlook itn the same way as "Melissa" macro-virus do. The message infected with worm contains attached "666TEST.ZIP" archive with worm script inside. The message subject is "666 test", and body is "> Does your name add up to 666 in ASCII characters? Are you going to go to hell?".
The worm doesn't spreads from one computer twice. To prevent duplicate spreading it creates key in system registry:
"HKEY_LOCAL_MACHINESoftwareMIRC/OUTLOOK/PIRCH.VanHouten" = "True"

Check other viruses! Be aware! Use Antiviral Software

Advent.Syslock.3551

Description Advent.Syslock.3551

This is non-resident harmless virus that upon execution, infects COM and EXE files. It infects EXE files in a standard way, and in COM files, it replaces the first 23h bytes in the file beginning with a jump to the virus body.
The major parts of the virus are encoded. The virus don't activate if the text "SYSLOCK=@" is found in the ENVIRONMENT.
The virus replaces the string "Microsoft" with "Macrosoft" in disk sectors.

Advert.FriendGreettings

Description Advert.FriendGreettings

Advert.FriendGreetings is an electronic post card program that once installed, unlike other similar programs, sends out emails to all addresses found in a victim computer's Microsoft address book. This obnoxious feature has lead some anti-virus companies to classify this program as a "worm".
If a user clicks on the link found in the email the installation procedure begins.
During installation the program displays a certificate of authenticity. If a user accepts the electronic signature he or she is given the chance to look over a license agreement (EULA). tIf a user either disagrees with the license agreement or doesn't trust the certificate, installation of the program terminates.
The Certificate verifying "safe content"!

When a user accepts the license agreement (below picture)the program is installed on their machine and "Advert.FriendGreetings" proceeds to send out messages to all the addresses found in their Microsoft Outlook address book.
The License Agreement

The email messages look as follows:
Subject: %recipient% you have an E-Card from %sender%.
Message:
Greetings!

%sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below.

http:/ /www.friendgreetings.com/pickup/pickup.aspx?
Message:
------------------------------------------------------------
%recipient%M
I sent you a greeting card. Please pick it up.
%sender%
------------------------------------------------------------

When this software installs it adds the following registry keys:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"PMedia"="C:Program FilesCommon FilesMediawinsrvc.exe"

Home