Virus Database

Zamol family

Description Zamol family

These are memory resident partly encrypted parasitic viruses. They hook INT 21h and write themselves to the beginning of COM and to the end of EXE files that are executed or accessed. While infecting they temporary rename files with names:
"Zamol.2024,3390,4358": ACULA.TRS
"Zamol.2153,2743" ++++++.!!!

"Zamol.2024" does not manifest itself in any way. Other viruses hook INT 8,9,13h,33h (timer, keyboard, disk access, mouse) and depending on the system date and their counters manifest themselves with several effects: display messages, play a tunes, disable writing to floppy drive, disable ENTER and DEL keystrokes, overwrite boot and MBR sectors with a program that display a message, intercept Login procedure and save a password.
"Zamol.2153" displays the message:
+-----------------------------+
| |
| Greetings from Timishoara ! |
| Call 040-96-113821 |
| |
+-----------------------------+

"Zamol.2743" displays the messages:
+---------------------------------+
| ZAMOLXIS VIRUS |
+---------------------------------+
| Se dedicå mortilor din DEC. 89! |
| Nu se dedicå lui Ion Iliescu! |
| Romania Timisoara 1994/am ! |
| |
+---------------------------------+
+------------------------------------+
|Liceul de Informatica Grigore Moisil|
+------------------------------------+

"Zamol.3390" displays the messages:
+---------------------------------+
| ROMANIAN 13 VIRUS |
+---------------------------------+
| Dedicate to Bosnia-Hertegovina |
| and special for romanian youngs |
| dead in "The War For Liberty". |
| Romania Timisoara 1994/am ! |
| |
| Timisoara phone : 040/096/ |
+---------------------------------+
+----------------------------------------------+
| " DRACULA`s spirit " |
| original scotch by Transilvaniaall |
| ..call "Transilvania General Import/Export" |
+----------------------------------------------+
| "RIO" soft drink ! Quality guaranted ! |
| Romania Timisoara cod 1900 Ghirlandei nr. 4 |
+----------------------------------------------+
|To everytime Whores! Call 166894 .(Taxi Bimbo)|
|----------------------------------------------|
| " Eco Tours " ! More a man dead ! ( 123450 ) |
+----------------------------------------------+

The viruses also contain the text strings:
"Zamol.2024": MS Works Virus
"Zamol.6418": MS Works Virus
THE LAST CAPTURE IS:

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Ivalid

Description I-Worm.Ivalid

This is a dangerous worm that spreads via the Internet attached to e-mail messages. The worm itself is a Windows application about 12K in size. To spread, the worm uses SMTP and connects to the "mail.bezeqint.net" e-mail server in order to send infected messages.
The worm obtains a victim's e-mail addresses from HTML files. It searches for *.HT* files on the hard drive and looks for e-mail addresses there.
The infected messages contain the following data:
From: "Microsoft Support" [support@microsoft.com]
Subject: Invalid SSL Certificate',0Dh,0Ah
Attach: SSLPATCH.EXE

Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day, Microsoft Corporation
In case of an error, or when infected messages are sent, the worm encrypts all EXE files the in current and all parent directories. While encrypting, the worm uses standard Windows crypto API.
The worm also contains the following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

I-Worm.Ivalid

Description I-Worm.Ivalid

This is a dangerous worm spreading through Internet attached to email messages. The worm itself is Windows application about 12K of size. To spread the worm uses SMTP and connects to "mail.bezeqint.net" email server to send infected messages.
The worm gets victim email addresses from HTML files. It searches for *.HT* files on the hard drive and looks for email addresses in there.
The infected messages have following data:
From: "Microsoft Support" [support@microsoft.com]
Subject: Invalid SSL Certificate
Attach: SSLPATCH.EXE
Message text:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation
In case of error, or when infected messages are sent the worm encrypts all EXE files in current and all parent directories. While encrypting the worm uses standard Windows crypto API.
The worm also contains following texts in its body:
I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001

Home