Virus Database

Worm.SQL.Spida.b

Description Worm.SQL.Spida.b
SQL.Spida.b is a new version of the worm SQL.Spida.a. Unlike the previous variant, SQL.Spida.b became quite widespread especially in Far Eastern Asian countries.
When comparing "b" to "a", "b" was improved not to use the sqlpoke clone, and instead uses a Java Script version of the exploit to run commands on vulnerable machines.
Also, the "b" variant does not add the extra sqlagentcmdexec account during the attack, but instead it enables the default guest login and gives it administrative priviledges.
The following comments can be seen in the worm code:

"// sqlprocess v2.5"
"// Greetings to whole Symantec anti-virus department."

Check other viruses! Be aware! Use Antiviral Software

IRC-Worm.Readme.1077

Description IRC-Worm.Readme.1077

This is an IRC worm spreading through IRC channels and using the mIRC client for spreading. The worm appears on a computer as the README.EXE DOS program. When this file is executed by a user, the virus installs itself resident into DOS memory and infects DOS COM files (except COMMAND.COM) that are executed. The virus is encrypted in infected files, and its code is placed at the end of files.
The virus also creates its "dropper" README.EXE on the C: drive (this file has a "hidden" attribute) and "registers" it in the C:AUTOEXEC.BAT in the very first lines: they contain an instruction to execute virus the dropper upon each rebooting.
To spread through mIRC channels, the virus searches for the C:INTERNETMIRCdirectory and creates a SCRIPT.INI file there that contains just one command for sending the README.EXE dropper to anybody joining the infected channel.
The worm contains the following text strings:
;-)x
whose name means dark matter vir-L

IRC-Worm.Septic

Description IRC-Worm.Septic

This is a virus-worm that spreads through mIRC channels by using an mIRC script program, and attempting to affect HTML files to infect remote computers when an Internet browser reads infected HTML pages.
The virus manifests itself on the 1st and 2nd of each month. It displays messages and then runs a video effect. By using VGA functions, the virus changes colors of the monitor turning it from white-on-black to black-on-white and back. The messages are as follows:
Day 1st:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ written by SeptiC [TI]
Day 2nd:
Pure evil comes from within! ~+DarK.MeSsiAh+~
Written by SeptiC [TI]

The virus also supports a "protection" that disables virus infection routines. When a virus copy is executed, it looks for the C:\_VAC.TXT file and immediately returns to the host program if such a file exists. The virus also displays the message here:
You are protected by a devine power
~+DarK.MeSsiAh+~ will not touch your files

DOS COM and EXE infector
The main part of the virus is an ordinary parasitic DOS file infector. The virus is encrypted, and when an infected file is executed, the decryption loop restores the virus code to non-encrypted form and jumps to the main virus routine. The virus then searches for DOS COM and EXE files and infects them. While infecting, the virus encrypts and writes its code to the end of the file and modifies the file header.
The virus searches for files and infects them in the current directory, in the parent directories, and in the directory tree on all drives from C: to G:. The virus checks file names and does not infect: COMMAND, ?GA*, ??NP*, ???GW* files; runs mIRC script infection routine if MI* (MIRC.EXE, MIRC32.EXE) file is found; corrupts anti-virus files: F-*, TO*, TB*, SC*, AV* (F-PROT, TBAV, SCAN, AVP) - the virus overwrites them with a code that displays the message and returns to DOS when an infected file is executed:
~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

The virus also deletes the ANTI-VIR.DAT file if it exists.
Infecting BAT files
The virus also searches for BAT and HTML files and infects them in the same directories. While infecting BAT files, the virus writes to the end of the file DOS commands that replace the DOS "dir" command with a set of two instructions: the first runs a virus dropper PORNO.COM, the second executes the DOS "dir" instruction. As a result, on any "dir" instruction the virus dropper is executed.
The virus creates its dropper file PORNO.COM in the Windows Command directory. To locate this directory the virus tries three variants:
C:WINDOWSCOMMAND
C:WIN95COMMAND
C:WIN98COMMAND

If not one of them is valid, the virus drops this file in the current directory. The virus then opens the C:AUTOEXEC.BAT file and infects it in the same way as for other BAT files.
Infecting HTML files
While infecting an HTML file, the virus creates, in the same directory, the infected dropper with the PATCH.COM name and appends to the end of the HTML file a short set of HTML commands that display the message:
Download The Latest Patch!
Click Here!

The "Click Here!" is a link that downloads and runs the PATCH.COM virus dropper, when this link is activated. As a result, infected HTML pages are "continued" with a virus text that offers to download an upgrade, but spreads the virus code instead.
mIRC script
The virus looks for an mIRC client installed in the system and creates a new SCRIPT.INI file in the same directory. The virus looks for mIRC in six directories and does not drop its mIRC component if none of the directories is found:
C:MIRC
C:MIRC32
C:PROGRAMMIRC
C:PROGRAMMIRC32
C:PROGRA~1MIRC
C:PROGRA~1MIRC32

While infecting the mIRC client, the virus uses the same trick as other mIRC viruses do: it overwrites the standard mIRC script file SCRIPT.INI with an infected one. When an mIRC client starts with an infected script, it accepts this file and follows its instructions.
The infected SCRIPT.INI contains several commands. The main one is the virus-sending instruction: when any user sends/receives any files, the virus sends to this user its infected dropper file, PORNO.COM.
The virus also sends messages to the channel and users on the channel. When an infected client connects to an IRC server, the virus sends the message to a user with the "SeptiC_dm" nickname:
I am your servant! I have been turned into a zealot of darkness

If the "D.Messiah" string appears in a message in the channel the, virus sends its own message to all users on the channel:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ Written by SeptiC [TI]

On the "666" string, the virus changes the topic of the channel (that is displayed in the header of the channel window), if the infected user has enough privileges. The new topic string appears as follows:
~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

On the "pray" text, the virus sets the channel operator mode to a user who posts this text, and sends the message to the channel:
I Obey my master! long live satan

On the "sacrifice" text all infected users are kicked out of the channel with the message:
Your word is my command, Power to satan!

Home