Virus Database

Worm.P2P.Surnova.a

Description Worm.P2P.Surnova.a

This is a worm that replicates using Windows Messenger and Kazaa network software. It replicates by copying itself to the Kazaa shared folder and by sending its copies via the Windows Messenger.
Installation
When the worm is launched for the first time, it tries to copy itself to the Windows directory with one of the following names:
Alles-ist-vorbei.exe Desktop-shooting.exe Hello-Kitty.exe BigMac.exe Cheese-Burger.exe Blaargh.exe
The worm sets its copy to be executed automatically when Windows starts by writing the following registry value:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Supernova=(one of the file names specified above)
The worm also shows a fake error message.

Replication: Kazaa network
Surnova tries to obtain the name of the Kazaa shared directory from the system registry. If it doesn't exist it uses the Media folder located in the Windows directory instead of the Kazaa shared directory name. Then it copies itself to that directory under the following names:

Windows XP key generator.exe
Windows XP serial generator.exe
Key generator for all windows XP versions.exe
Warcraft 3 ONLINE key generator.exe
Half-life ONLINE key generator.exe
Quake 4 BETA.exe
Grand theft auto 3 CD1 crack.exe
GTA3 crack.exe
Battle.net key generator (WORKS!!).exe
Warcraft 3 battle.net serial generator.exe
Half-life WON key generator.exe
Star wars episode 2 downloader.exe
Winzip 8.0 + serial.exe
Winrar + crack.exe
Britney spears nude.exe
Macromedia MX key generator (all products).exe

Check other viruses! Be aware! Use Antiviral Software

Iwag.4183

Description Iwag.4183

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 8, 17h, 21h, 2Fh and writes itself to the end of EXE files that are accessed.
By hooking INT 2Fh the virus gets command line when programs are executed. If command line is "iwag" or "iwagstat", the virus displays the messages followed with internal virus data and counters in hexadecimal:
Hello! IWAG Virus, Opole , 1997
Usuniecie virusa z systemu: mov ax,0ABABh , int 21h
Hi Master! Status:
Pierwszy nosiciel:

When TD* files are executed, the virus displays the message and reboots the computer:
Program too big to fit in memory

Depending on its internal counters the virus ejects/inserts CD-ROM drive or prints one of the texts:
To ja-twoja drukarka:
Rzeczy, ktore mi kazesz drukowac sa bez sensu!
Moze wreszcie kupisz mi dobry papier?
Boli mnie glowa :(
Daj mi spokoj!

Depending on the system date the virus also hooks INT 17h (printer) and changes the letters and digits that are printed.
The virus also disables mouse, beeps by PC speaker, displays the text:
Zartowalem :)

Izhevsk.3474

Description Izhevsk.3474

It is a dangerous memory resident encrypted parasitic virus. It writes itself to the end of .COM and EXE files. When an infected file is executed, the virus hooks INT 21h, intercepts FindFirst DOS call and on these calls searches for COM (except COMMAND.COM) and EXE files in the current directory and infects them.
The virus uses not correct anti-debugging tricks and as a result does not work on Pentium computers. Depending on the system date and its internal data the virus also hooks INT 1Ch and in some time halts the computer and displays the message:
+------------------------------------+
| |
| Waiting for halting systemall |
| |
+------------------------------------+

The virus also contains the text strings:
Sys areaCOMMAND*.com *.exe
(C) Izhevsk 1996

Home