Virus Database

Constructor.Macro.Word.Cvck

Description Constructor.Macro.Word.Cvck
This is a CVCK-based virus. It contains 11 macros: AutoExec, AutoOpen, Action, Action2, stdClose, HelpAbout, Organizer, ActionDate, ToolsMacro ( Ñ+ ), FileTemplates, and ToolsCustomize.
It infects the global macros area upon the opening of an infected document, and is written to documents upon closing.
On the 11th and 31st, it displays DialogBoxes, and upon entering the Tools/Macro and File/Templates menus, it displays the following:
Chicken say all......
[pox-poX-pOX-POX-POx-Pox-pox]
Hello there......., this command was blocked by Chicken Pox Macro Virii
This is sample from Our Generator Virii, we named our generator CVCK V0.2.
It's very user friendly !, try it ! This Virii is not Dangerous !, If you
want try our CVCK V0.2 email Us on "nomercy12@hotmail.com"

Cvck.b
This is a CVCK-based virus. It contains six macros: AutoExec, AutoOpen, Action, Stealth, StlhClose, and ActionDate. In NORMAL.DOT, the virus has three additional macros: ToolsMacro, ToolsCustomize, and FileTemplates.
It infects the global macros area upon opening an infected document, and it is written to documents upon closing.
Upon entering the Tools/Macro and File/Templates menus, the virus erases files in the C:WINDOWS directory. On Fridays, it erases the text in the current document.
Cvck.c
This is a CVCK-based virus. It contains six macros: AutoExec, AutoOpen, Action, Stealth, StlhClose, and ActionDate. In NORMAL.DOT, the virus has three additional macros: ToolsMacro, ToolsCustomize, and FileTemplates.
On the 13th of any month, it displays the DialogBox:
Visit NoMercy WEB PAGE !

http://www.geocities.com/ReseachTriangle/3996
Welcome Again buddy!. It's nice create a Virus, why you don't try?
Like always, We made new If Our Macro Viruses was detectable by famouse AV
Visit http://www.geocities.com/ReseachTriangle/3996 for know newest
Macro Virus from Us and Indonesian Macro Virus!

The virus also contains the comments:
--------------------------------------------
Created using CVCK v.01 b
(C)CrazybitS 1997, Yogyakarta, Indonesia
--------------------------------------------
greeting to
-Cicatrix major collector
-D.Giovanni
-All Macro virii creator
-You that has seen the decription macro

Cvck.d
This is a CVCK-based virus. It contains ten macros: AutoExec, AutoOpen, Action, stdClose, FilePrint, ActionDate, ToolsMacro, EditAutoText, FileTemplates, and FilePrintDefault.
On the 1st and 13th of any month, it erases the text in the current document, and displays the following DialogBox:
You have fOX'Z in your computer !
Hey, No body can use Microsoft Word Today !!
Yogyakarta, Indonesia by :
Fox'z,

On printing a document the virus inserts the text:
Try to print tomorrow buddy , today your computer want rest (today is a
holiday?) --Foxz--

Check other viruses! Be aware! Use Antiviral Software

I-Worm.NetSky.c

Description I-Worm.NetSky.c
This worm spreads via the Internet as a file attached to infected messages. The worm itself is a PE EXE file of approximately 23KB, packed using Petite. The unpacked file is approximately 39KB in size.
Several other versions of this worm exist, and these were packed using ASPack and other utilities. However, this version packed using Petite is the only one which has managed to propagate.
Installation
The worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ICQ Net" = "%windir%winlogon.exe -stealth"
The worm also creates a unique mutex [SkyNet.cz]SystemsMutex to flag its presence in memory. The worm creates copies of itself in all sub-directories on disks C: to Z: which have the word shar in their names. The copies are saved under names from the following list:
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe
The worm also creates several copies in zip format.
Propagation
The worm searches for files with extensions from the following list:
adb
asp
cgi
dbx
dhtm
doc
eml
htm
html
msg
oft
php
pl
rtf
sht
shtm
tbb
txt
uin
vbs
wab
harvests email addresses from these files, and sends a copy of itself to these addresses. The worm uses its own SMTP library to send messages, and attempts to establish a direct connection to the message recipient's server. If this attempt is unsuccessful, the worm attempts to send the message via one of the servers defined in the worm's code:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16
Infected messages:
Infected messages have the following characteristics, chosen at random from the options below:
Message header:
believe me
dear
Delivery Failed
denied!
error
exception
excuse me
fake?
good morning
hello
Here is it
hey
hi
illegalall
I'm back!
important
info
its me
last chance!
lol
moin
notice!
notification
private?
question
Question
re:
Re: <5664ddff?$???2>
Re: does it?
Re: does it?
Re: excuse me
Re: hello
Re: hey
Re: hi
Re: important
Re: information
Re: Re: Re: Re:
Re: unknown
read it immediatelly
report
something for you
Status
stolen
take it
trust me
warning
what's up?
Yep
you?
or the message header is left blank.
Message body:
<<<FAILURE>>>
<...>
<ANTISPAM complete>
<ATTACHMENT 34933920 Signature>
<ATTACHMENT Poland from>
<AUTOMAILER>
<CLICK decrypt to attachment the>
<DELIVER Error>
<FAILED available message>
<MAIL failed>
<MESSAGE Error>
<NULL>
<SERVER Error>
<TRANSFER complete>
*lol*
;-)
?
09580985869gj
a crazy doc about you
abuse?
account?
already?
another pic, have fun! ... :->
Antispam is turned off. See file!
are you a photographer?
are you a teacherin the picture?
are you cranky?
are you the naked one?
are you the naked person!
are you the one?
Attached Msg
attachi#
Authentification required. Read the att...
bad gateway
be mad?
best?
bob the builder
child or adult?
child porn?
classroom test of you?
copyright?
correct it!
did you ask me for that?
did you know from this document?
did you know that?
did you see her already?
did you sent it to me?
do not give up!
do not open the attachment!
do not show this anyone!
do not use my document!
do not visit the pages on the list I se...
do you have an orgasm in the picture?
do you have sex in the picture?
do you have the bug also?
do you have?
do you know the thief?
do you know this????
do you think so?
doc about me?
doc?
docs?
does it belong to you?
does it belong to you?
does it match?
does it matter?
drugs? ...
excellent!
explain!
fast food...
feel free to use it
File is bad.
File is damaged.
File is self-decryting.
forgotten?
from the chatter (my photo!)
from your lover ;-)
gonna?
good work!
great job!
great xxx!
great!
greetings
help attached
her.
here is it.
here is my advice
here is my photo!
here is the $%%454$
here is the <CENSORED>
here is the document.
here is the next one!
here is yours!
here, the cheats
here, the introduction
here, the serials
how?
i am desperate
i am speachless about your document!
I don't know your document!
i don't think so.
i don't want your xxx pics!
i found that about you!
i found this document about you.
i have received this.
I have your password!
i hope thats not true!
i know your document!
i like your doc!
i lost that
i need you!
i saw you last week!
I 've found your bill!
I wait for an answer!
i wait for your comment about it.
i want more...
illegal st. of you?
important?
in your mind?
incest?
information about you?
Instant patches
instruct me about this!
is that criminal?
is that possible?
is that the reality?
is that true?
is that your account?
is that your account?
is that your attachment?
is that your beast?
is that your car?
is that your car?
is that your cd?
is that your creditcard?
is that your domain?
is that your family?
is that your finger?
is that your message?
is that your name?
is that your photo?
is that your porn pic?
is that your privacy?
is that your slip?
is that your TAN?
is that your website?
is that your wife?
is that your work?
is that yours?
is the pic a fake?
is this information about you?
it's a secret!
its private from me
it's so similar as yours!
i've found it about you
kill him on the picture!
kill the writer of this document!
let it!
lets talk about it!
Login required! Read the attachment!
love letter?
man or women?
meaning of that?
message?
Microsoft
misc. and so on. see you!
modifications?
money?
msg
my advice....
never!
new patch is available!
ok...
old photos about you?
only encrypted!
pages?
personal message!
picture?
poor quality!
possible?
pretty pic about you?
pwd?
read it immediately!
read the details.
really?
reply
scanned by norton antivirus
schoolfriend?
see this!
see your name!
solve the problem!
something about you!
something is going ...
something is going wrong!
something is not ok
stuff about you?
such as yours?
take it easy!
tell me more about your document!
test it
that is interesting...
that's a funny text.
that's not the truth?
thats wrong!
the information is wrong!
the truth?
this file is bad!
this is an attachment message!
this is nothing for kids!
time to fear?
Transaction failed. Show the doc!
trial?
try this patch!
Warning from the Government
what do you think about it?
what means that?
what still?
what?
who?
why should I?
why?
wrong calculation! (see the attachment!...
xxx ?
xxx about you?
xxx service
yes.
you are a bad writer
you are bad
You are infected. Read the details!
you are naked in this document!
you are sexy in this doc!
you cannot hide yourself! (see photo)
you earn money, see the attachment!
you feel the same.
you have a sexy body in the pic!
you have done a mistake in the document...
you have tried to steal!
you look like an ape!
you look like an rat?
you won the rk!
your account is expired!
your are naked?
your attachment? verify it.
Your bill.
your body?
your design is not good!
your document is not good
your document is silly!
your eyes?
your face?
your hero in the picture?
your icq number?
your job? (I found that!)
your lie is going around the world!
your name is wrong!
your personal record?
your photo is poor
Your provider will be disabled!
your TAN number?
yours?
or the message body will be left blank.
Attachment:
aboutyou
associal
attach2
attachment
auction
bill
birth
card
class_photos
concert
creditcard
death
description
dinner
disco
doc
doc_ang
document
final
found
freaky
friend
id
image
important
incest
information
injection
intimate stuff
jokes
letter
location
mail2
mails
masturbation
material
me
message
misc
moonlight
more
msg
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
number_phone
object
old_photos
part2
party
paypal
pic
portmoney
poster
posting
privacy
product
ps
ranking
regards
regid
release
response
schock
secrets
sexual
sexy
shower
story
stuff
swimmingpool
talk
tear
textfile
topseller
transfer
trash
undefinied
unfolds
update
violence
visa
warez
webcam
website
wife
word_doc
worker
your_stuff
yours
yours
The attached file will have one of the following extensions:
doc
htm
rtf
txt
or a double extension. In this case, the second extension will be one of the following:
com
exe
scr
pif
The worm also sends itself as a Zip file.
Other
The worm deletes the following keys from the Windows system directory:
DELETE ME
Explorer
KasperskyAV
msgsvr32
Sentry
service
System.
Taskmon
Windows Services Host
Windows Services Host

HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerPINF
HKLMSystemCurrentControlSetServicesWksPatch
and the following key values:
au.exe
d3dupdate.exe
OLE
If the local system date shows 27th February or later, and the local system time shows between 6am and 9am, the worm attempts to emit sounds using the system speakers.

I-Worm.NetSky.d

Description I-Worm.NetSky.d
This worm spreads via the Internet as a file attached to infected messages.
The worm is a Windows PE EXE file, of approximately 17424 bytes, written in Microsoft Visual C++. It is packed using Petite. The unpacked file is approximately 27KB in size.
Infected messages
Message header, chosen at random from the list below:
Re: Approved
Re: Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message body, chosen at random from the list below:
Here is the file.
Please have a look at the attached file
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment name, chosen at random from the list below:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
The worm is activated only if the user executes the infected file by double clicking on the attachment. The worm then installs itself to the system, and starts propagating.
Installation
When installing, the worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
Sending messages
To harvest email addresses, the worm searches for files with the following extensions:
adb
asp
dbx
doc
eml
htm
html
msg
oft
php
pl
rtf
sht
tbb
txt
uin
vbs
wab
and sends a copy of itself to all addresses found in these files. The worm uses its own SMTP engine to send messages.
It attempts to send itself via the following SMTP servers:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16
Deletion of Mydoom
In a similar way to several other worms, Netsky.d is programmed to delete Mydoom from the infected machine. It searches the following branches of the system registry for the Explorer and Taskmon keys:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
and also deletes the following key:
[HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32]
Other
The worm deletes the keys KasperskyAv and system from the system registry.

Home