Virus Database

ZhengZhou.3584.b

Description ZhengZhou.3584.b

This is a dangerous memory resident multipartite DOS virus.
ZhengZhou.3584.b hooks INT 13h, 21h and first writes itself to the end of COM and EXE files that are executed, and to the MBR of the hard drive when infected files are executed. It then infects the boot sector of the floppy drive.
ZhenZhou.3584.b may also infect files that are accessed by FindFirst/Next FCB function (DIR command). It may also erase hard drive sectors.
ZhengZhou.3584.b does not infect the SCAN.EXE and CLEAN.EXE files, and deletes the WMSET.COM file.
ZhenZhou.3584.b contains the following text string:
wolf

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Moncher

Description I-Worm.Moncher

This is an Internet worm that spreads via e-mails attached as a EXE or ZIP file. The worm itself is a Win32 executable file about 37Kb in length, and written in Visual Basic. The worm is also able to spread via IRC channels.
When the worm's EXE file is being run from an attachment or from an IRC download directory, it registers itself in the system to run each time Windows starts up, and it sends infected messages. To hide itself, the worm displays two fake messages:
INSTALL
Install complete.

ERROR!
Unable to run program!
While installing into the system, the worm copies itself to the Windows directory with the WINHLP.EXE name, creates the VBS script file "helper" OUTLOOKHELP.VBS in the same directory, and registers these files in the Windows registry auto-run section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
WinProfile = %WinDir%winhlp.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
OutlookProfile = %WinDir%outlookhelp.vbs
where %WinDir% is the name of the Windows directory.
The first (EXE) file is the worm's main code, and the second (VBS) file is the e-mail spreading program.
When the VBS script is run, it connects to MS Outlook, obtains the addresses from the MS Outlook Address Book, and sends messages there. The message Subject, Body and Attachment appear as follows:
Subject: With Love
Body: Whit all my love for you. :)
Attach: Winhlp.exe èëè MonCherry.zip
The worm infects the mIRC client if it is installed in the C:MIRC directory. The worm writes a script to the SCRIPT.INI file in there that sends an infected WINHLP.EXE file to each user that enters the infected IRC channel.
On January 13th, the worm overwrites the C:AUTOEXEC.BAT file with a DOS batch program that will format the C: drive upon the next reboot.

I-Worm.MsWorld

Description I-Worm.MsWorld

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 130K of length. The worm is written in Visual Basic language.
When the worm file is run (double click on attached EXE file) it displays "miss World" pictures, for example:

and then runs spreading and two trojan routines.
To spread the worm uses a standard way. It connects to MS Outlook, gets up to 50 addresses from address book and sends messages to there. The messages have:
Subject: Miss World
Body: Hi, %èìÿ ïîëó÷àòåëÿ%
Enjoy the latest pictures of Miss World from various Country
The attached file has the name of original EXE file that was activated. The "original" EXE file name in which the worm was received is MSWORLD.EXE.
Next the worm appends to the end of C:AUTOEXEC.BAT file DOS batch commands that display the message:
This Everything for my Girl Friendall......, (CatEyes, KRSSL, SS Hostel)
and then format all local fixed drives.
The worm then tries to delete the system registry files and their backups:
SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0
Because .DAT these files are usually locked by system, the worm fails to delete them.
The worm then exits.

Home