Virus Database

Worm.Win32.Kilonce.a

Description Worm.Win32.Kilonce.a

This is Win32 network worm. It spreads over local network through drives shared for full access.
The worm itself is a Windows PE EXE file written in Delphi. Depending on its version the worm is about 40Kb (compressed version, UPX compressor used) or 82K (original not compressed EXE file).
The worm was found in China in November 2002.
The worm has many bugs in its code, and often is not able to spread over the network and activate its payload routines.
Installing
While installing the worm copies itself with "killonce.exe" name to Windows system directory and to "Recycled" directory on the same drive where Windows is installed. The worm then registers its copies in system registry auto-run key. For example, in case Windows is installed in C:WINDOWS directory, the affected registry keys will look as follows:
HKCRexefileshellopencommand
"C:\WINDOWS\KILLONCE.EXE "%1" %*"

HKCR xtfileshellopencommand
"C:\Recycled\KILLONCE.EXE C:\WINDOWS\NotePad.exe %1"

HKLMSoftwareCLASSESexefileshellopencommand
"C:\WINDOWS\KILLONCE.EXE "%1" %*"

HKLMSoftwareCLASSES xtfileshellopencommand
"C:\Recycled\KILLONCE.EXE C:\WINDOWS\NotePad.exe %1"

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
KillOnce = "C:\WINDOWS\KILLONCE.EXE"

The worm then creates its "EMail" copy in Windows temporary directory. This copy has the "KillOnce.exe.Eml" name and has "true e-mail" format. The From,To,Subject fields and Body are empty. The attached file name is "Explorer.exe" (that is worm copy in MIME envelope), and there is IFrame tag to activate that EXE attach when infected EMail is being opened.
Spreading
The worm looks for network drives that are opened for full access and copies itself to there with the name:
Windows undll32.exe

in case "Windows" directory presents in there. The original "rundll32.exe" file is renamed by worm to "Run32.exe" name.

Check other viruses! Be aware! Use Antiviral Software

Lilo.1573

Description Lilo.1573

This is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. On the 13th of any month, the virus, depending on the system time, displays messages (see below), and either returns to DOS or reboots the computer.
The virus also contains the following texts:
LI_LO.1573 virus v.0 (test) by P&C
COMMAND.COM.EXE

The messages are:
Divide error
Program too big to fit in memory
+------------------------------------------------------------------+
| If you want to be more SEXY, you must drink a lot of Pepsi ! |
| |
| XXXX XXXX |
| XXXX XXXX --+-- +-- |
| XXXX XXXX | +--+ +- |
| XXXX XXXX | | | +-- |
| XXXXXXX XXXX | |
| XXXXXXX XXXX |
| +--+ +-- +-- -+-- |
| Greetings to +--+ +- +-+ | |
| Marek Sell +--+ +-- --+ | |
| and |
| everybody, who can XXXX XXXXX |
| read this text XXXX XXXX XXXX |
| XXXX XXXX XXXX |
| from PiCSof XXXXXXXX XXXX XXXX |
| XXXXXXXX XX XXXXX XX |
| |
| |
+-------------------------------------------------COPYRIGHT 1996---+

Linc Family

Description Linc Family

These are harmless memory resident parasitic viruses. "Linc.228,318" are encrypted viruses.
They use different ways to install itself into the system memory. "Linc.196,228" copy themselves to the Interrupt Vectors Table, "Linc.307" allocates the memory by using DOS functions and patches the MCB fields, "Linc.318" stays memory resident by using Keep call (INT 27h).
Then they hook INT 21h and infect COM files that are executed. "Linc.196,228,307" write themselves to the end, and "Linc.318" writes itself to the beginning of the file.
The viruses contain the text strings:
"Linc.196": Winter
"Linc.228": Autumn
"Linc.307": 'The Waxwork Crew' proudly release their first virus 'aardvark'
"Linc.318": [Sleeping]

Home