Virus Database

WinWorm

Description WinWorm

WinWorm is a harmless non-memory resident poly-morphic worm virus. The worm itself is a DOS COM program about 2K in length and encrypted with poly-morphic code. The worm uses Windows features and environment variables and is able to operate correctly under Windows only.
When the infected file is run, the worm installs itself into the system where it copies itself to the Windows system directory with the name WINWORM.COM, to the Windows directory with the names WINDLL.COM and WINSIS.COM (both files have a hidden attributes set). There is also a 'C:WW.COM' worm copy left on the C: drive after installation.
The installation process is performed in two steps:
First, the worm drops itself into disk C: root drive with the WW.DAT name.
Secondly, it inserts itself into the C:AUTOEXEC.BAT set of commands that completes its installation on the next reboot.
To be executed or run each time Windows is booted the worm creates an auto-run key in the WIN.INI file:
[windows] load=WinSis.Com
The worm creates the following files in the Windows directory:
DRIVE.BAT LOADCOM.BAT COPYFILE.BAT DRIVE.PIF
In the Windows SendTo subdirectory it writes:
?³Â?3_~1.lnk - "disk3_" in Cyrillic.
The worm modifies the following registry keys:
HKEY_CLASSES_ROOTcomfileshellopencommand @="LoadCom.Bat %1"
HKEY_CLASSES_ROOTDriveshellopencommand @="Drive.Pif %1"
As a result, the worm files (LOADCOM.BAT and DRIVE.PIF) are being run by accessing a new drive and by executing a DOS COM file. The worm files then run a WINDLL.COM worm copy that drops the infected NEWGAME.COM file onto the A: floppy disk - if it is inserted.
The worm has no payload.
The worm contains the text strings:
[WinWorm_1.0] [WDME 5.0]

Check other viruses! Be aware! Use Antiviral Software

Pray Family

Description Pray Family

These are not dangerous memory resident parasitic viruses. They hook INT 1Ch, 21h and write themselves to the end of COM files that are executed. Depending on the system timer they display the message:
Keep On Praying,Jesus !

Predator.1035

Description Predator.1035

It's a harmless memory resident multipartite polymorphic virus. On execution of infected file the virus traces the interrupt vectors 13h, 21h and infects MBR of hard drive. Then it hooks INT 21h and writes itself at the end of COM- and EXE-files are accessed. It hooks INT 13h also and infects boot-sectors of floppies. On loading from infected sector it hooks INT 13h and waits for DOS loading, then it hooks INT 21h and starts to infection. This virus contains several encrypted text strings:
Predator virus #2 (c) 1993 Priest - Phalcon/Skism
THE PREDATOR
TORPNACSAELCFASVVAPC.VANOCED

The last string contains the part of the file names (written backward) which are not infected by this virus: *PROT, SCAN, CLEA*, VSAF, CPAV, NAV, DECO.

Home