Virus Database

Viking Family

Description Viking Family

These are the memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files. While infecting a file the viruses convert EXE files to COM format (see "Vaccina" viruses). These viruses also contain the word:
Viking

Viking.700
It is a harmless virus. It infects the files that are executed. The versions of that virus contain the strings:
"Viking.700": Viking1 In
"Viking.700.b": Viking3 In

Viking.1000
It is not a dangerous virus. It infects the files that are executed. The virus infects the COMMAND.COM file when the first infected file is executed. This virus contains the texts:
To Nataly from Viking
In

Sometimes it also hooks INT 10h and on displaying via INT 10h it converts uppercase letters to lowercase ones, and lowercase to uppercase. While infecting a file and depending on the system timer it plays a tune.
Viking.1000.b,c,1400
These are dangerous viruses. "Viking.1400" is an encrypted one. These viruses infect the files that are executed or opened, they also search for the files and infect them on DOS calls that access to the files. They infect the COMMAND.COM file when the first infected file is executed. While infecting a file these viruses try to set INT 13h handler to its original address in DOS area, but in lot of cases the viruses fail and DOS halts. The viruses contain the text strings:
"Viking.1000.b": *.COM *.EXE Viking4 In
"Viking.1000.c": *.COM *.EXE Viking5
"Viking.1400": *.COM *.EXE Viking7

Viking.1600,2000
These are not dangerous memory resident parasitic encrypted viruses. They trace and hook INT 21h, then they write themselves to the end of COM and EXE files that are executed, opened or renamed. They search (by using the string "*.COM *.EXE") for the files and infect them on DOS calls OpenFCB and GetDiskSpace.
While infecting an EXE file "Viking.2000" checks the file length. If the length of EXE is more than 64K, the virus infects it by manipulation with EXE header fields, those files stay of EXE format after infection. If the file length is lesser than 64K, the virus converts the file to COM format (see "Vaccina" method).
These viruses contain the strings:
"Viking.1600":
CLEAVACCFMAPDIR2BDS.VSHIVIRS

"Viking.2000":
-V.EACADAIDSANTIBDS.BUSTCLEADBLSDIR2DOCT
EMM3F-PRFATCFLUSFMAPNC.ENCMAPROTQAPLSCAN
SMARSTACTESTTLINVACCVIRSVSHIWIN.

and check the file name for these strings before infection. If the first four letters of file name present in that string, the virus does not infects that file. As a result, the files CLEA*.*, VACC*.* FMAP*.*, DIR2*.*, BDS.*, VSHI*.*, VIRS*.* are not infected by "Viking.1600". "Viking.2000" does not infect the files -V.E*, ACAD*.* e.t.c.
Some generations of "Viking.1600" display the message:
On 1 Mar. 1992 I met NATALY, and she changed my life!
The 365th copy of is dedicated to our first anniversary

Depending on the number of its generation "Viking.2000" hooks INT 8 (timer) and displays either the random data, or the message "Viking". This virus contains the string:
String carrier space! Available for messages! No more viruses!
LOOKING FOR WORK! Address available in LCV_BAS!

Viking.Mixtura
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It contains the text strings:
Crypted Here->
ViKing-Mixtura,CopyLeft (L) 1993 by ViKing.
ViKing is The Real King of Viruses' Kingdom.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Gizer.c

Description I-Worm.Gizer.c

Gizer is a worm virus spreading via the Internet as an attachment to infected emails - it appends itself to Zip archives.
The worm itself is a Windows PE EXE file about 8 KB in length and written in Assembly language.
Infected messages have the following characteristics:
From: Microsoft Critical Response Team
Subject: Urgent message for all Windows users
Body:

Dear Windows User, The Microsoft Security Experts have discovered a bug inside the Windows files that poses a security threat to all versions of Windows newer than Windows98 (including Windows98). Virus experts have reported that few known viruses have been identified using this exploit, but more are expected. A patch has been supplied with this email and will fix the security hole. **THIS MESSAGE WAS DELIVERED BY THE AUTHOR FROM ENERGY WORM !!!** Attachment name: patch.exe
The worm activates from infected email only when a user clicks on the attached file.
The worm does not install itself to the system and is not repeatedly activated. The only way to run the virus again is to double click the attached file.
When the worm is launched, it copies itself to the current folder under the name windows.tmp, and displays the following message:
Could not patch due to bad CRC!

Spreading: e-mail
To send infected messages the worm connects to the SMTP server specified as the default in Windows. Gizer then sends messages to all addresses found in the Windows address book (WAB database).
Spreading: archives
Gizer also searches for all files with the .ZIP extension on all hard drives and appends its copy to them.

I-Worm.Gokar

Description I-Worm.Gokar

This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via IRC channels and infects a IIS server. It also protects itself from anti-virus programs.
The worm itself is a Windows PE EXE file, 14336 bytes in length, and is written in Visual Basic 6. It is packed in a UPX program. After unpacking, it is 53 Kb size. It contains the following text strings:
W32.Karen by Gobo all happy birthday girl !!! shouts : W1z, Merl, NM, and whoever else. #teamvirus on Undernet ... say hello. bob is the king of bots :)

Infected messages contain the following:
Subject is one from the 15 variants:
If I were God and didn't belive in myself would it be blasphemy
The A-Team VS KnightRider ... who would win ?
Just one kiss, will make it better. just one kiss, and we will be alright.
I can't help this longing, comfort me. Li>And I miss you most of all, my darling ...
... When autumn leaves start to fall
It's dark in here, you can feel it all around. The underground.
I will always be with you sometimes black sometimes white ...
.. and there's no need to be scared, you re always on my mind.
You just take a giant step, one step higher.
The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm Darling, when did you fall..when was it over ?
Will you meet me .... and we'll fly away ?!
Attach file name is random. It has one from the following extensions:
.exe, .pif, .scr, .bat, .com
Sample names are as follows:
3tgf3tgf3tgf373774285313tgf.scr
ffdasfffdasfffdasf145361008658ffdasf.com
rewfdrewfdrewfd30741913208rewfd.scr
The message body is one the following 4 variants:
Hey

They say love is blind ... well, the attachment probably proves it. Pretty good either way though, isn't it ?
You should like this, it could have been made for you speak to you later
Happy Birthday Yeah ok, so it's not yours it's mine :) still cause for a celebration though, check out the details I attached
This made me laugh Got some more stuff to tell you later but I can't stop right now so I'll email you later or give you a ring if thats ok ?! Speak to you later
Installation
While installing, the worm copies itself to Windows system directory with the name KAREN.EXE and registers that file in system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Karen = karen.exe

Spreading via E-mail
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Gokar1.bmp
Spreading via IRC channels
The worm overwrites the file C:MIRCSCRIPT.INI to the new script file.
This script sends an EXE file to each user joining the infected channel. It also sends the following message:
If this doesn't make you smile, nothing will.

It changes a user's nickname to the following:
karen, worm, virus, sex
The script ignores users that send the texts::
script, infected, dcc, script, infected
It joins the channel #teamvirus if it recives a text with char 'e'.
Infecting IIS server
The worm overwrites the file C:INETPUBWWWROOTDEFAULT.HTM with its code, and copies itself to the directory C:INETPUBWWWROOT with the name WEB.EXE. The new DEFAULT.HTM contains a link to the file WEB.EXE. It also has a text comment:
As a result, the local IIS server is infected by the worm.
Protecting from anti-viral programs
While installing in the computer system, the worm scans the running processes. It checks their names from the following list:
:
VSHWIN32.EXE
PW32.EXE
_avpm.exe
avpm.exe
ICLOAD95.EXE
ICMON.EXE
IOMon98.exe
VetTray.exe
Claw95.exe
f-stopw.exe
The worm terminates these processes in memory.

Home