Virus Database

Comvirus.321.a

Description Comvirus.321.a

This is a harmless, non-memory resident parasitic virus, which searches for .COM-files in the current directory and writes itself to their ends. Upon execution, it types: "This file infected with COMVIRUS 1.0".

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Buzill.a

Description I-Worm.Buzill.a

Buzill is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 30KB in length (there is also a known variant that is compressed by UPX, (the compressed size is about 16KB). The Buzill worm is written in Visual Basic.
Infected messages have the following features:
The Subject field is either empty or randomly selected from the following variants:

Body text:
Here is the file I told you about. Dont tell anybody.Shhhhhhhh ;)

The Attachment file's name is randomly selected from the following variants:
gresge.exe slfklsbsklf.exe hsldnlg.exe
bsdkskshf.exe qewlwlef.exe qfdsdjl.exe
nlddoe.exe vdngdg.exe fsdhhgdd.exe
nfkrjhgr.exe lsjsdf.exe pqweopwrore.exe
wrretert.exe pjlfdg.exe nnbvcncld.exe

The worm activates from infected emails only if a user clicks on the attached file. If this action is taken the worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the C: drive's root directory using a randomly selected name (please note the list of possible names for the file attachment above), and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
BuzzKill = %worm file name%

Spreading
To send infected messages the worm uses MS Outlook and sends infected messages to all the addresses found in the Outlook address book.
Payload
On February 14th the worm displays the message:
IWorm.BuzzKill
Happy Birthday Joshua!!

and proceeds to delete all the files in the root directory of the C: drive.

I-Worm.Calil

Description I-Worm.Calil

Calil is an Internet worm spreading via the Internet as an attachment to infected email messages.
The worm sends out messages with the following properties:

Subject: FW:FW: LILAC project video attach
Attachment name: LILAC_WHAT_A_WONDERFULNAME.avi
Attachment size: 12208 bytes
Message body: Things that the govt. dont want you to know

Installation
When the worm is launched on a computer for the first time, it tries to copy itself to the following hard coded locations:

c:win98 empLILAC_WHAT_A_WONDERFULNAME.avi c:windows empLILAC_WHAT_A_WONDERFULNAME.avi.exe c:win95 empLILAC_WHAT_A_WONDERFULNAME.avi.exe c:winnt empLILAC_WHAT_A_WONDERFULNAME.avi.exe c:winme empLILAC_WHAT_A_WONDERFULNAME.avi.exe c:winxp empLILAC_WHAT_A_WONDERFULNAME.avi.exe
Calil launches a copy of itself, automatically upon the restart of Windows by writing the following registry value:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Lilac=(one of the paths specified above)
Next the worm shows a fake error message:
Windows Error54: Media Player not installed correctly

Replication
The worm gets e-mail addresses from the Windows and Outlook address books, and sends infected messages to these addresses. It uses Outlook to send infected messages. Other
Calil changes the system registered owner information by writing the following registry values:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RegisteredOwner=xEnOcrAtEs LegalNoticeCaption=Owned by: LegalNoticeText=Owned by: xEnOcrAtEs
This forces Windows to show the following message when starting:
Owned by: xEnOcrAtEs

Home