Virus Database

Win32.TeddyBear

Description Win32.TeddyBear

This is a parasitic Windows virus with backdoor ability. When an infected file is run, the virus-installing routine takes control, creates the DLLMGR.EXE file in the Windows system directory and spawns it. The DLLMGR.EXE file is a pure virus code, it stays in the Windows memory as a hidden application and registers its file (DLLMGR.EXE) in the system registry in the auto-run section (this will cause Windows to load and run this file upon each startup):
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Teddybear = "xxxxDLLMGR.EXE"

where "xxxx" is the name of the Windows system directory.
The virus then stays in Windows memory and its "backdoor" routine gains control. This routine opens the connection and waits for commands from remote host, gets/sends files from/to there, etc. The virus is also able to execute files that are sent by a host (including a virus update). Moreover, the virus code in the DLLMGR.EXE file (dropped to the system by the infected file) has no infection code in it. The infecting routine is downloaded from the host and executed. So, the infection and other virus routines are stand-alone executable files, and they can be easily updated by the virus' author. Very similar technology was used for the first time in the Win95_Babylonia Windows virus.
The known virus version and components are compatible with Win9x only, and do not work under WinNT. They also have bugs that stop the virus from spreading in some cases. Despite this, new bugs-free and NT-compatible components may be released by virus author.

Check other viruses! Be aware! Use Antiviral Software

IVP Constructor

Description IVP Constructor

IVP ('INSTANT VIRUS PRODUCTION KIT') is a virus creation kit. It produces viral assembler source of different virus types. The characteristics of the IVP-based viruses are selected by editing a configuration file. There are several options: infect COM, EXE or both; encrypted or not; INT 24h hooking or not; COMMAND.COM infection or not; and other.
This generator looks like a minor version of the PS-MPC code generator, as well as G2 virus constructor.

Iwag.4183

Description Iwag.4183

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 8, 17h, 21h, 2Fh and writes itself to the end of EXE files that are accessed.
By hooking INT 2Fh the virus gets command line when programs are executed. If command line is "iwag" or "iwagstat", the virus displays the messages followed with internal virus data and counters in hexadecimal:
Hello! IWAG Virus, Opole , 1997
Usuniecie virusa z systemu: mov ax,0ABABh , int 21h
Hi Master! Status:
Pierwszy nosiciel:

When TD* files are executed, the virus displays the message and reboots the computer:
Program too big to fit in memory

Depending on its internal counters the virus ejects/inserts CD-ROM drive or prints one of the texts:
To ja-twoja drukarka:
Rzeczy, ktore mi kazesz drukowac sa bez sensu!
Moze wreszcie kupisz mi dobry papier?
Boli mnie glowa :(
Daj mi spokoj!

Depending on the system date the virus also hooks INT 17h (printer) and changes the letters and digits that are printed.
The virus also disables mouse, beeps by PC speaker, displays the text:
Zartowalem :)

Home