Virus Database

Worm.Win32.Sluter

Description Worm.Win32.Sluter
Sluter is a worm virus that spreads over Win32 networks through shared resources.
The worm is a Windows PE EXE file about 18KB in length (when compressed by UPX, the decompressed size is about 45KB). It is written in Microsoft Visual C++.
When the infected file is run the worm registers itself in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
superslut = { worm file name }

Next, Sluter runs its spreading routines.
The spreading routine runs up to 60 "threads" which scan port 445 at random IP addresses. When successfully connecting to a victim machine it tries to locate open resources on the remote computer and connects to them using several passwords such as:
"","admin", "root", "123", e.t.c.

If a successful connection is made the worm copies itself to the victim machine under the following names:
c$winntsystem32msslut32.exe
Admin$system32msslut32.exe

The worm then uses the WinNT remote management API to run an infected file on the remote machine.
The worm doesn't have any payload and does not manifest itself in any other way.

Check other viruses! Be aware! Use Antiviral Software

Disruptor.1129

Description Disruptor.1129

It is not a dangerous memory resident encrypted parasitic virus. It writes itself to the end of EXE files. When an infected file is executed, the virus creates and infects virus-dropping files: STARTME.EXE file in the current directory and README.EXE file in the root directory of the current drive. The virus then returns back to the host program. When STARTME.EXE or README.EXE are executed, the virus displays the message:
SYSERR1764: Not enogh memory to start this program. Try again!

It then hooks INT 21h, stays memory resident and infects EXE files that are executed.
The virus also creates the hidden ION.DAT file in the root directory of the current drive, saves its counter in there and increases this counter on each execution of infected program. If that counter reaches 120, the virus halts the computer (because of a bug this counter never reaches 120). When this counter reaches 60, the virus stays memory resident not only from droppers, but from any infected file.
The virus disables file deleting and subdirectory removing DOS calls. The virus also contains the text strings:
Sector Disruptor II 1001
SDII

Dith.1502

Description Dith.1502

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus does not manifest itself, it contains the text string:
AL-DITH FOREVER

Home