Virus Database

Zombie.ZCME.16384

Description Zombie.ZCME.16384

This is a harmless non memory-resident parasitic polymorphic virus. It searches for COM files in the current directory, then writes itself to the beginning of the file. Before infecting the virus creates in the memory (by writing byte-by-byte) the text string, and then immediately erases it:
ZCME 0.01 Z0MBiE`s Code Mutation Engine (c) 1997
The main feature of this virus is its polymorphic engine - the virus is not encrypted, but it has no any constant part of code. The virus does that by "mixing" its code while infecting files: by using its internal disassembler the virus disassembles itself and copies its Assembler instruction to 16K buffer at random selected addresses. If sequential instruction are copied to different blocks of buffer, to "link" them the virus uses Assembler instruction JMP. The virus then fixes addresses of Jump-by-condition (Jcc) instructions and subroutine CALLs. The virus also randomly inserts "do-nothing" NOP instruction in its code. As a result, 1346 bytes of actual virus code are randomly placed within 16K buffer.
See also Ply and TMC viruses.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.SSIWG

Description I-Worm.SSIWG

This is "LoveLetter" -like Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The known worm version has a mistake (one instruction is mistyped), and the worm is not able to spread its copies via e-mail messages. In addition to this, the mistake may be easily fixed, and the worm will be able to spread.
The worm is able to propagate through a local network. To do this, the worm enumerates network resources and copies itself to there. The worm is not able to activate itself on a remote computer, and infects it only in case the worm copy is occasionally run by a user.
The worm itself is a VBS script program.
The worm arrives as an e-mail message with:
Subject: I'am missing U
Message body: Could u remember me ?
Attachment name: Y072QWV.VBS
Upon being activated by a user, the worm copies itself to the Windows system directory with the same name (Y072QWV.VBS) and registers this copy in the auto-run section in the system registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"Y072QWV" = %Windir%Y072QWV.VBS
where "Windir" is the name of Windows system directory.
The worm then spreads through a local network by copying its "Y072QWV.VBS" file to the root directory on drives shared for writing.
To send infected messages, the worm connects to MS Outlook, obtains all addresses from the address book and sends to there its messages (the subject, body and attachment name are the same as listed above).
Because the worm registers itself in the auto-run registry section, it is activated upon each Windows boot-up, but it does not spread by e-mail messages each time it is run. The worm has a counter that is stored in the Windows registry:
HKEY_LOCAL_MACHINE "Y072QWV" = number
where "number" is the number of starts (upon each start, the worm increases this counter). When the counter reaches 20, the worm resets it to zero and then runs an Outlook infection routine. Otherwise, the worm skips it.
As a result, the worm sends infected messages only upon the first run (being activated from an infected message), and upon each 20th reboot. The local network spreading routine is activated each time the worm starts.
The worm has a feature that makes its detection a little bit more difficult. All text strings in the worm code are slightly encrypted, and in case of need, the worm decrypts and uses them.

I-Worm.Staple

Description I-Worm.Staple

This is Internet worm that spreads via E-mail by sending infected messages from affected computers. While spreading the worm uses MS Outlook and sends itself to addresses that are stored in MS Outlook Address Book.
The worm arrives on computer as email message with attached VBS file, that is worm itself. The message in original worm version has:
The Subject: RE:Injustice
Message body:
Dear [address],
Did you send the attached message, I was not expecting
this from you!
Attached file name: injustice.TXT.vbs
Being activated by a user (by double click on attached file) the worm opens MS Outlook, gets access to the Address Book, gets up to 50 addresses from each adresslist and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
Additionaly, each time worm activated it sends infected messages to 25 addresses, that are specified inside worm body.
To prevent duplicate sending of infected messages to the same addresses, the worm marks each address used.
After all the worm opens six Internet Explorer windows with different links and also displays message:
HELP US TO STOP THE BLOOD SHED!!
PLEASE ACCEPT MY APOLOGIES FOR DISTURBING YOU.
Remember that one day YOU may be in this situation.
We need every possible help.
Israeli soldiers killed in cold blood 12 year old Palestinian child
Mohammad Al-Durra, as his father tried to protect him in vain with
his own body. As a result of the indiscriminate and excessive use of
machine gun fire by Israeli soldiers, journalists and bystanders
watched helplessly as the child was savagely murdered.
Palestinian Red Crescent Society medic Bassam Balbeisi
attempted to intervene and spare the child's life but live
ammunition to his chest by Israeli fire took his life in the process.
The child and the medic were grotesquely murdered in cold blood.
Mohammad's father, Jamal, was critically injured and permanently
paralyzed. Similarly, approximately 40 children were slain, without
the media taking notice or covering these tragedies.
THESE CRIMINAL ACTS CANNOT BE FORGIVEN OR FORGOTTEN!!!!

Home