Virus Database

DHeart Family

Description DHeart Family

These are not dangerous not memory resident parasitic viruses. They search for executable files (by using internal masks "*.com" or "*.exe") and write themselves to the file end. After infection they display messages.
"DHeart.452" infects EXE-files, it displays double hearts (03h ASCII)
"DHeart.649" hits .COM-files except IBMBIO.COM and IBMDOS.COM. Depending on its internal counter it decrypts and displays the message:
From Russia with love!

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Magold.a

Description I-Worm.Magold.a

This worm spreads via the Internet as an attachment to infected emails. It also spreads via IRC channels, local and file sharing networks. The worm is able to spread in WinNT systems only (WinNT, Win2000, WinXP).
The worm itself is a Windows PE EXE file approximately 241Kb in size. It is compressed using UPX; the decompressed file is approximately 650KB in size. It is written in Borland C++.
Installation
When installing, the worm copies itself to the Windows directory under the names "raVe.exe" and "Maya Gold.scr". It then registers these files in as a key in the system registry to ensure that the files are run each time the system is started.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
raVe = %WinDir% aVe.exe
[HKLMSOFTWAREClassesexefileshellopencommand]
@=%WinDir% aVe.exe "%1" %*"
[HKLMSOFTWAREClassescomfileshellopencommand]
@=%WinDir% aVe.exe "%1" %*"
[HKLMSOFTWAREClassesatfileshellopencommand]
@=%WinDir% aVe.exe "%1" %*"
[HKLMSOFTWAREClassespiffileshellopencommand]
@=%WinDir% aVe.exe "%1" %*"
[HKLMSOFTWAREClassesscrfileshellopencommand]
@=%WinDir% aVe.exe "%1" %*"
The worm also creates a subdirectory " aVe" in Windows directory and copies itself to there under the name "Maya Gold.scr". This directory is then registered in the system registry as a Kazaa shared folder:
[HKCUSoftwareKazaaTransfer]
DlDir0 = %WinDir% aVe
This enables the worm to spread via the Kazaa P2P file-sharing network.
The worm also creates three registry keys for its own use:
[HKLMSoftware aVe]
beepul
halozat
irc
The worm then displays a fake error message:

Propagation via email
To send infected messages the worm connects directly to the default SMTP server. The worm harvests email addresses from the WAB (Windows Address Book) database (Windows Address Book) and *.HTML files.
Infected messages:
From:
erotika@lap.hu
Subject:
Maya Gold-os kepernyokimelo!
Attachment:
Maya Gold.scr
Message body (original in Hungarian):
Tisztelt cÜm!
Az EROTIKA.LAP.HU nÝzettsÝgÝnek n?velÝse ÝrdekÝben egy kis ÜzelÜt?t kÜvÓn adni kÜnÓlatÓb?l az Internet felhasznÓl?knak!
FIGYELEM: A 'Maya Gold.scr' nevv csatolt ÓllomÓny egy kÝperny?vÝd?. Mint a neve is mutatja Maya Gold porn?szÜnÝszn?r?l tartalmaz k?l?nb?z? kÝpeket. Az ÓllomÓnyt ajÓnlott el?bb a lemezre menteni, majd utÓna futtatni.
Amennyiben valami problÝmÓja, kÝrdÝse van, Ürjon a k?vetkez? cÜmre: erotika@lap.hu
_dv?zlettel: EROTIKA.LAP.HU
Translation:
Dear Recipient!
The EROTIKA.LAP.HU website is providing Internet users with a preview of its offerings, in the hope of increasing its popularity.
Attention: The attached "Maya Gold.scr" file is a screen saver. As the name implies, it contains pictures of Maya Gold, the acclaimed porn diva.
It is recommeded to save the file to disk before running it.
If you have any problems or questions, please contact us at:
erotika@lap.hu
Best Wishes: EROTIKA.LAP.HU
The worm is only activated when a user opens the attachment by clicking on it. The worm then installs itself to the system and starts propagating.
Propagation via networked and floppy drives
The worm copies itself to shared network drives. To ensure that the copy will run on the remote victim machine, the worm writes an auto-start command to the victim machine "Autorun.inf":
open=Maya Gold.scr
The worm also copies itself under the name "Maya Gold.scr" to the A: floppy drive.
Propagation via IRC
The worm affects two IRC clients and writes script files to their directories. These scripts send a copy of the worm file to IRC channels to users that join infected channels. The affected IRC clients and script file names are:
mIRC - script.ini
Pirch - events.ini
Propagation via file sharing networks
The worm affects the following P2P networks:
Bearshare
Edonkey
Gnucleus
Grokster
Kazaa
Limewire
Morpheus
Shareaza
The worm copies itself to these networks under the name "Maya Gold.scr".
The worm also copies itself to the "ICQShared Folder".
Other
The worm downloads and runs upgrades from "ftp.fw.hu".
The worm may open the site "http://www.offspring.com".
The worm searches for and terminates active anti-virus processes.
At a certain stage after being activated, the worm:
changes the colour of active application windows

won't allow mouse cursor to get to the top of the screen (blocks it)
creates numerous empty "raVe%%%.txt" files on the Desktop

changes active application window header to:
=:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)
sends the following text to the printer:
SEGITS NEKEM!!!
En a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj mar a Windows-zal, mert ez mar nem allapot!!
Allandoan a hulye kerdeseivel, kereseivel zaklat, 'Van meg lapod?', 'Tudsz szinesen nyomtatni?', 'Ezt most fektetve szeretnem!', 'Keszen allsz mar?'.
Gondolom te is egyetertesz velem, hogy ez igy nem mehet tovabb! Valamit tenni kell!
UDVOZLETTEL MEGERTO ES SEGITOKESZ BARATOD: A NYOMTATO
PUNK'S NOT DEAD
=:-)
=:-)
=:-)
The smileys are repeated to the bottom of the page. The Hungarian text is a complaint about the low quality and problems of printer implementation in Microsoft Windows.
The worm contains the text string:
AZERT SEM KOSZONOK BE BE BE! SOT! EBBEN SINCS KOSZONET! --- raVe-1-- areWera

I-Worm.Maldal

Description I-Worm.Maldal

This is a dangerous virus-worm that spreads via the Internet attached to infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm also creates destructive payloads.
The worm itself is a Windows PE EXE file about 36.5K in length, and is written in Visual Basic 5.
The infected messages contain:

The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload. It displays the following picture only once:

Installation
While installing, the worm copies itself to the Windows system directory with the name "Christmas.exe" and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Zacker = < windir >Christmas.exe
Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Installation of the other worm
The worm changes a start page for the Internet Explorer to the:http://geocities.com/jobreee/ZaCker.htm*.
This HTM file contains another Internet worm: VBS.Kerza that will be run after Internet Explorer has been started.
Destructive payload
The worm blocks a keyboard and tries to delete all files in the Windows System directory.
*WARNING: DO NOT USE THIS LINK!

Home