Details
ITS.1531

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of DOS COM and EXE files that are executed. A block of virus code is also written to the end of files. While infecting the virus encrypts the body of host file.
The virus also hooks INT 9 (keyboard) and on Alt-Ctrl-Del displays the red color message:
+————————–+
| |
| ILSANT & Tjiong S |
| DESTROYER |
| |
| (c) Mad Computerz |
| |
+————————–+

Details
Ithaqua.8030

It is a dangerous memory resident multipartite polymorphic virus. It infects the MBR of the hard drive, COM and EXE files that are executed. While infecting the MBR the virus encrypts its original contents, as a result the FDISK/MBR command destroys it. The virus also uses other tricks (anti-debugging), it is polymorphic in files as well as in infected MBR sector. The virus has many bugs and often corrupts files and the MBR while infecting them.
The virus uses quite complex ways of infection, they are different under different DOS versions. Under DOS 7+ (Windows) the virus infects EXE files only and does not touch MBR and COM files in any way. It encrypts itself with 512-bytes polymorphic code and writes the result to the end of files. As a result the infected EXE files length grows by 8542 bytes.
Under DOS 6 and lower the virus infects COM files as well as EXE, and affects the MBR when an infected file is run for the first time. While infecting EXE files the virus looks for “cave” (the area of constant data) 8030 bytes of length, and writes itself to there if such cave is found. In this case the file length does not grow. In case of COM files the virus writes itself to the end of the file. To get control when the infected file is executed, the virus either uses standard method (writes JMP_Virus instruction to the file header), or loads the file, emulates it (executes the file’s code) for some time, then writes the JMP_Virus command to some place in the middle of the file. In second case the virus encrypts itself with simple XOR loop, and does not run its polymorphic engine, the file length in this case grows exactly by 8030 bytes.
Under DOS 6 the virus also uses emulator (virtual execution routine) to get the INT 21h DOS address, and patches this address with JMP_Virus_Handler command.
On April 29th the virus manifests itself by a video effect: it turns the computer to video mode, displays the text:
[Ithaqua] virus by Wintermute/29A

and then covers this text with “falling snow”.
The virus also contains the text strings:
I’m Ithaqua,all that who walks over the wind
Welcome to my world, adventurer. Follow me.
Love. Hate. I’ll be awaiting you on the dark side, watching the nonsense.

Details
Itavir.3187

This is a very dangerous nonmemory resident parasitic. It scans the subdirectory tree and writes itself to the end of .EXE files that are found. While scanning and infecting the virus uses absolute INT 25h/26h calls, DOS functions Create and Rename file. The virus sets to 60h the attributes of infected files. In some cases the virus erases the disks. The virus also contains the texts:
Zione rada
?OMMAND COM
per questa voltaall……
…….AHI..AHI..AHI…….
Ho proprio l`impressione di essere un Virus
Maligno,……
Molto maligno (naturalmente)
Non vi rimane che da azionare l`interruttore
AUGURI!!!…………………

Details
Italian.578

This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are executed. In April, it displays the following message:
_ ITALY IS THE BEST COUNTRY IN THE WORLD _

and erases the disk sectors. It also contains the text:
Fucks to Italian Virus Killers

Details
Istanbul Family

These are harmless (except “Istanbul.1367″) memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed. Depending on the system date they disinfect the host file. Depending on the system date “Istanbul.1312″ beeps with PC speaker. They contain the text strings:
“Istanbul.1312″: Written in the city of Istanbul (c)1993
Installed
“Istanbul.1349″: Anti-Virus?? Written in the city of Istanbul (c)1993
“Istanbul.1367″: Written in the city of Istanbul (c)1994 by REUIUKRGT

“Istanbul.1367″ is a dangerous virus. It deletes the files: X.EXE, CIV.EXE, CìV.EXE, WOLF3D.EXE, RETAL.00, RETAL.01, SUP.EXE, TIM.EXE, TìM.EXE, PRE2.EXE, BIRTH0.PIC, DISCOVR1.PAL, ICONPG1.PAL, YEAGER.EXE, LHX.EXE, JF.EXE.

Details
IronMaiden.891

It is not a dangerous nonmemory resident parasitic virus. It searches for COM files, then writes itself to the end of the file. On June, 6th which is Saturday (6th month, 6th date, and 6th day) the virus decrypts and displays the message:
Won’t you come into my room,
I wanna show you all my wares,
I just want to see your blood,
I just want to stand and stare.
See the blood begins to flow,
As it falls upon the floor,
Iron Maiden can’t be fought,
Iron Maiden can’t be sought.
Oh well,wherever,wherever you are,
Iron Maiden’s gonna get you
No matter how far.
See the blood flow
Watching it shed,
Up above my head,
Iron Maiden wants you dead.

Details
IronMaiden

This is a dangerous nonmemory resident parasitic virus. It searches for .COM files of the current directory and writes itself to the end of the file. Since August 1990 depending on the current time the virus erases two random selected disk sectors. The virus contains the text:
IRON MAIDEN

Details
Iron.188

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It displays the message:
Evil has an iron fist

Details
I-Worm.Tettona

This is the worm virus spreading via the Internet being attached to infected emails. The worm also has backdoor routine.
The worm itself is Windows PE EXE file about 35Kb of length (compressed by Petite, decompressed size - about 75Kb), written in Microsoft Visual C++.
The texts and attached file names in infected messages are different, they depend on current date and Italian language support:
Subjects are:
Incredible.. Incredibile.. Urgente! (vedi allegato) Qualsiasi cosa fai,falla al meglio.

The message body begins with “Hello,” or “Ciao,” text, then Bodies are:
see this interesting file.
okkio all’allegato
devi assolutamente vedere il file che ti ho allegato.
apri subito l’allegato,e’ MOLTO interessante.

The message body is completed with “A prestoall” or “Bye.” text.
Attached files:
tettona.exe
euro.exe
tattoo.exe

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and backdoor.
Installing
While installing the worm copies itself to Windows directory with the DLLMGR32.EXE name and registers that file in system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run DllManager = %windir%\dllmgr32.exe
The worm then displays fake error message:
Error
VBRUN49.DLL not found!

Spreading
To send infected messages the worm uses direct connection to default SMTP server, then opens WAB database (Windows Address Book) and sends messages to all addresses found in there.
Backdoor
The backdoor procedure opens connection on port 5001 and listens to the “master”. Then it processes following instructions:
“HELO” - replies with “Hello, guy” text
“SCAN” - scans all directories and reports dir/files in there (like remote DIR command)
“EXEC” - runs specified file
“UNINST” - removes itself from the system, including registry “Run” key.
“VIEW” - displays to “master” specified file
“DOWN” - downloads to “master” specified file

Payload
On January 12th the worm displays the message:
Hello,

Ciao,
il tuo computer É infettato dal virus FralÍ.
Certo che devi essere proprio un pirlone,
per esserti fatto fregare dal mio stupidissimo worm.
Va bÉ,vÁ,non ti preoccupare,oggi non sono in vena di cattiverie,
ed É anche un giorno festivo per me.

Buona giornata..
by 4nt4R35

Details
I-Worm.Tanatos.a
Tanatos.a, also known as BugBear.a is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines.
The Tanatos worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++.
The infected messages have different Subjects, Bodies, and Attached file names.
The worm sends messages of two types (which it randomly selects). In first case, in order to run from the infected message the worm exploits the IFrame security breach (as a result the worm activates when a message is being opened or previewed in vulnerable (victim) systems). In the second case the worm does not use “breach tricks” and the attached worm copy activates from infected email only in case a user clicks on the attached file. The Tanatos worm got its name from the text string appearing in its code:
Project Tanatos
Installing
While installing the worm copies itself to the Windows system directory under a random name and registers itself in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The worm’s EXE filename depends on the C: volume name, for example:
FYOM.EXE
YOK.EXE

The worm also places a DLL file in the Windows system directory under a random name and uses this file to ’spy’ on and record all keyboard input.
Spreading: Emails
To send infected messages Tanatos uses a direct connection to the default SMTP server. Victim email addresses are gotten from the following file types:
*.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX,
*INBOX*
The Tanatos worm searches for these files in the system and extracts email-like strings from them.
The Subject field is selected from the following variants:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Helpall
Stats
I need help about script!!!
Interesting…
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!

Additionally, the message Subject can be randomly selected by “Tanatos” from a randomly selected disk file.
The message Body is randomly selected by Tanatos from a randomly selected disk file.
The attached file name is also randomly selected and it may have a double extension, for example:

filename.XLS.SCR

Spreading: Network
Tanatos enumerates network resources shared for writing, looks for the startup folder and copies its file to this folder (if found).
This routine has a bug and the worm also sends copies of itself to shared network printers.
Backdoor
The backdoor routine opens port 36794 where it then listens for “master” commands (from the person or people who are controlling it). The backdoor routine grants control over infected machines, giving those who control Tanatos the ability to send/receive/copy/execute files, terminate processes, send out user info. etc.
Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines.
PSW Trojan
The worm also has a trojan routine that sends user info and cached passwords to several email addresses that are encrypted in the worm body.
Other
Tanatos looks for the following applications and tries to terminate them:

Details
I-Worm.Sobig.f
Sobig.f is a worm spreading via the Internet as a file attached to infected emails. The Sobig.f worm also spreads through shared network resources.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 70 KB when compressed (TeLock), while its decompressed size is about 100 KB.
The Sobig.f worm activates only when a user double clicks on the attached file. Once the worm is launched it installs itself in the system and runs its spreading routine.

Installation
During installation the worm copies itself into the Windows directory under the name winppr32.exe and registers itself in the system registry autorun keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TrayX = %WindowsDir%\winppr32.exe/sinc

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TrayX = %WindowsDir%\winppr32.exe/sinc

Spreading via email
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, WAB, MHT and HLP files in all directories on all available local drives, scans for e-mail like text strings and sends infected e-mails to these addresses. To send infected messages the worm uses the SMTP engine specified in the system properties.
Below are variations of Sobig.f message content:
The From field has fake email address (found on the infected machine) or admin@internet.com.
Subject:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Re: Thank you!
Message Body:
See the attached file for details
Please see the attached file for details.
Attached file name:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
The worm also creates the file winstt32.dat in the Windows directory and writes the email addresses that were found on the infected machine to this file.

Spreading via network
The worm scans all accessible network resources (other computers in a network) and copies itself to the auto-start directories (if there are such subdirectories) of each resource (computer) found.

Updating
The worm sends UDP packets at random IP addresses to port 8998 and awaits commands from the ‘master’ machine. The commands contain URLs from which Sobig.f downloads and executes files. Thus, the worm is able to upgrade itself and/or install other applications (Trojans for instance).
Loading additional files
The worm launches a procedure that every 60 minutes checks the current time according to Greenwich meantime. To do this it sends out queries via NTP servers (Network Time Protocol). SoBig.F keeps an internal log from 19 NTP servers; following are the IP addresses of these NTP servers:
200.68.60.246
62.119.40.98
150.254.183.15
132.181.12.13
193.79.237.14
131.188.3.222
131.188.3.220
193.5.216.14
193.67.79.202
133.100.11.8
193.204.114.232
138.96.64.10
chronos.cru.fr
212.242.86.186
128.233.3.101
142.3.100.2
200.19.119.69
137.92.140.80
129.132.2.21

When an NTP server does not reply, the worm invokes the system function for learning the current time - ‘gmtime’. On Fridays and Sundays when the current GM time is between 19:00 and 23:00, the worm begins to download additional files. To download these files it sends out UDP (User Datagram Protocol) packets via the IP address assigned to port 8998. SoBig.f maintains a list of IP addresses in an encoded file. Currently these sites are blocked and therefore do not respond to queries.
List of encoded IP addresses:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

The SoBig.f worm receives replies to its queries in the form of a UDP packet via port 8998. This packet contains an encoded URL (Uniform Resource Locator) file. The SoBig.f worm downloads this file and executes it.
Other
All worm routines are active until September 10, 2003.

Details
I-Worm.Scrambler

This is an Internet worm virus that spreads in infected e-mails, sending its copies to IRC channels, and infecting Windows EXE files on a local machine. The worm itself is a Windows executable file about 70K in length written in Microsoft Visual C++.
When an infected file is executed, the virus creates its “dropper” (a file with pure virus code) in the Windows system directory. This file has a random 5-letter name, for example: HIJDE.EXE. This file is used later to send virus copies to Internet and IRC channels.
The virus then scans the Windows directory, looks for Windows executable .EXE files and infects them by writing the virus code to the top of the file. The virus avoids infecting files with names that begin with any of the following letters: E, P, R, T, W. The virus then infects all EXE files in the C:\MIRC\DOWNLOAD directory, if it exists in the system.
Next, the virus infects the mIRC client to send its copies to IRC channels as well as MS Outlook to spread with e-mail messages.
To infect the mIRC client, the virus tries to create (overwrite) a SCRIPT.INI file in standard mIRC directories on all drives from C: to F:. The infected file names appears as follows:
\mirc\script.ini
\PROGRA~1\mirc\script.ini
The worm writes a short script to there that sends its “dropper” to each user that enters the infected channel.
The virus creates the SCRAMBLER.VBS VisualBasic in the Windows system directory and writes to there a script program that connects to MS Outlook and sends e-mail messages to the first 90 users from the MS Outlook address book. The messages have an infected attachment (virus “dropper”); the subject is “Check this out, it’s funny!”; and the message body is empty. The virus then spawns that script, and spreads to the Internet as a result.
The virus then creates the WINSTART.BAT file in the Windows directory and writes two commands to there that clear the screen and display the following message when that file is executed:
Today..
I’m going to scramble your mind..
The virus also creates the SCRAM.SYS file and saves the text to there:
Scrambler
by Gigabyte
The virus also scans drives for MP3 files and corrupts them.

Details
I-Worm.Runouce.a
Runouce is a worm virus spreading via the Internet as an attachment to infected emails. Runouce also copies itself to shared network resources.
The Runouce worm is a Windows PE EXE file about 10KB in length and written in Assembly language.
Infected messages have the following properties:
Subject: Hi,i am %(Name of victim’s computer)%
Attachment name: p.exe
The message body is blank.
To run from infected messages the worm exploits the IFRAME security breach.
Installation
The worm copies itself to the Windows System directory under the name “Runouce.exe” and then registers this file in the following registry auto-run key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Runonce = %System%\Runouce.exe

%System% = the Windows System directory name.
When the Runouce is launched it creates a ‘mutex’ named “ChineseHacker” to avoid running multiple instances.
Spreading
The worm creates .EML files containing its copy in all available directories, and network resources, excluding the Windows directory. The name of the .EML files is the name of the victim’s computer. For example, if the computer name is COMPUTER, the worm creates COMPUTER.EML files in that computer’s directories.
Runouce searches for victim email addresses in WAB databases and files with .ADC and R.DB extensions on all available drives except the Windows directory, and sends infected messages to these addresses. To send infected messages, the worm directly accesses the SMTP server “btamail.net.cn”.
Other
The Runouce worm searches for files with .EXE and .SCR extensions on all fixed and remote drives, except the Windows directory, and modifies their file access time data.
Runouce also closes programs with some Chinese titles (probably Chinese anti-virus programs).

Details
I-Worm.Runnelot

Runnelot is a worm virus spreading via the Internet as an attachment to infected emails. It also infects Win32 EXE files.
The worm itself is a Windows PE EXE file about 9KB in size when compressed by UPX; the decompressed size is about 20KB. It is written in Assembler.
The worm contains a “copyright” text string:
Runner “Pilot” 01/2003

Installing
While installing the worm writes its code to the Windows system directory with the “Runner.exe” name and registers that file in system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Runner = Runner.exe /auto /rsrc32.dll

Infecting EXE files
The worm looks for PE EXE files and writes itself to the beginning of these files. It looks for victim EXE files in directories located on local and network hard drives.
To release control to host the program the worm creates on disk a disinfected copy and spawns it. In case of an error the worm displays fake error messages:
Error of loading WIN32.DLL file

Loading incomplete. Correct work is not warranted!
Continue?

General error 1452 in KERNEL32.DLL

Program terminated

Spreading: EMail
To send infected messages the worm uses direct access to the default SMTP server. To get victim email addresses the worm looks for *.HTM* files, it also writes these email addresses to the “runner.dll” file in the Windows system directory.
The infected messages have different fields that are randomly constructed from several variants:
From: “%str1%%str2%”

where following strings are randomly selected from:
%str1% : Dmitry Eugene Igor Jhon Mark Bill Frank Sam Tim Brad Samuel Dean Tom Robert Mostovoy Losinsky Kaspersky Danilov Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor
%str2″: @hotmail.com @yandex.ru @yahoo.com @newmail.ru

Subject: %subj1% %subj2%
where:

%subj1% :

Weclome to Pink World
Blacks on Blondes
New porno movies every day
TONS of porno movies
Fucking Wifes

%subj1% :

New FREE sex soft
FREE porno-soft
+ many FREE sex games

The body is randomly constructed from randomly selected text strings:
SUPERGAME! + Look as + fine + blonde
SEX SOFT! + hot mom
black hitchiker teen
dirty girl
amateur slut
petite babe
busty teen
wet secretary
wild wife

This is a free demo version, and we hope you want visit our web-site +
Please visit our web site +
+
WWW.EXPLOITEDPUSSY.COM
WWW.SLEAZYDREAM.COM
WWW.ALLHOTPORN.COM
WWW.TEENFILES.NET
WWW.ADULTMOVIESTATION.NET
WWW.DISCRETESEX.COM
+
to take more sex programs
to take full version

150 GIG OF DOWNLOADABLE MOVIES - FREE PASSWORD
HIGH QUALITY MPEGS - NEW SCENES EVERY DAY - 100k+ PICS TOO
Full lenght movies
THE BEST MOVIES ONLINE
HUGE archive of previous movies available! TONS of movies
+
Full screen quality
Ultra fast downloads
Updated every day
All in DVD quality
WEBMASTERS MAKE MONEY
GET FULL ACCESS TO OUR MEMBERS AREA FOR 30 MINUTES - FREE
GET YOUR 30 MINUTES FREE ACCESS
A new 150mb full lenght movie is added every day
+
Install NOW!!!
Installer in attach
Test our soft now!

or randomly selected from variants:
We presents to you ours new sex game as adversting
Install a locator of FREE sex movies of our site as adversting
Install porno screen saver as adversting
This is a new imitator as adversting

Attachment:
sexy + girls. + dll
hottest blonde.
cumshot pamela.
analsex lesbians.
oralsex teens.
asian virgins.
hardcore .
slut
doggy
sucking
messy

Payload
On February 13, March 7,16, April 21, May 8,18, June 11, July 3, August 29, October 30, November 5,26, December 11,30 the worm overwirtes all files in “Personal” folders (”My Documents”, “History”, “Cookies”, e.t.c.).

Details
I-Worm.Roron.12

Roron is a worm virus spreading via the Internet as an
attachment to infected emails via network shared drives and
the KaZaa network. The worm also has an IRC-based backdoor.

The worm itself is a Windows PE EXE file about 120KB in length,
written in Microsoft Visual C++.
Installing
While installing the worm copies itself to the Windows directory
with the “rundll16.exe” name and registers this file in
system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LoadCurrentProfile = Rundll16.exe powprof.dll,LoadCurrentUserProfile

HKCR\exefile\shell\open\command
%WinDir%\Rundll16.exe “%1″ %*

HKCR\regfile\shell\open\command
%WinDir%\Rundll16.exe regedit.exe “%1″

The worm also copies itself to Windows system dir and
to “Program Files” dir. To select the destination name the
worm gets random file names from victim directories, or
directory names, and adds one of random selected
extensions:

98.exe
16.exe
32.exe

For example, worm copies may have following names:
Program Files\Online Services\Online Service16.exe
Windows\System\browseui16.exe

These files are as well registered in the Registry HKLM\all\Run=
keys and/or in WIN.INI file in the [windows]
section in “run=” instruction.
The worm then may display following fake message:
WinZip Self-Extractor License Confirmation

Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact
the program vendor or the web site (www.WinZip.com) for additional information.

The worm also creates its data file in Windows directory, and
uses it for its internal needs (it stores its variables in
there). The file name is:

“winfile.dll”
The worm copies may be found under the following names as well
(this list is referred to later as the ‘names list’):

Zip Password Recovery v4.5.exe
Star Craft 2 Trailer.exe
WWF!!_The_ROCK(sHOw).exe
cRedit CarDs gEn v1.2.exe
WinZip 8.2 (Cracked).exe
GTA 3 Bonus Cars.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
NFS 5 Bonus Cars.exe
Counter Strike 1.5 (Editor).exe
Madonna - My Life (Review).exe
DivX 5.4 Bundle.exe
KaZaA Media Desktop v1.8.3.exe
Win XP key gen 2.1B.exe
Serials 2002 Update.exe

Emails
The infected messages have different Subjects, Bodies and
Attached file names (see below).

The worm activates from infected email only in case a user
clicks on attached file. The worm then installs itself to
the system, runs spreading routine and payload.

To send infected messages the worm uses Windows MAPI functions
and sends messages to all addresses found in messages from
Email boxes.
Attached file names are selected from the following variants:
Star Craft 2 Trailer.exe
WWF_The_ROCK(sHOw).exe
Sound Factory SFX.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
Love Zodiak.exe
[TNT]GeN.exe
Worm Guard.exe
mTV Charts.exe
Setup.exe
mTV Charts.exe

Subjects and Message bodies are randomly selected from the
variants displayed below, where %s is one of the EXE file
names listed above. The following text is written in
Bulgarian and English.

Zdrasti..

Hey, kak varvi, neshto novo ima li Adski mi sa spi, daje ei sq smqtam da si legna ama purvo shte si vzema edin dush :)) Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq, komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata ~pPp

Ohoo!!

Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :))

Ei dupe

Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kaish a? Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Begai na %s Malko e stranen, no ne e losh. Hmm, ti ko praish? Pishi mi
Chao

Liubofta e kato Rai, no moje da boli kato Ad

Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka Inache nishto novo, karam q nqkak.. Sega trqbva da izlizq za malko tai che bye :))

ZzZz

Zdrasti, kak q karash az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin put go probvah ama stana, vij dali pri teb sha raboti i umnata Ai doskoro :)) Chao ti

Vajno!!

Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koito shte te paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka.. Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))

Bla Bla

Hi, kak e ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii Naposledak muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!

HeY..

HeY.. Buddz what’z up How are you? I’m fine, 10x!! My friend Nina is here and we are.. You know Lalala !! Be happy, don’t worry ~pPp. Btw check this site - %s, it’s fresh :)) I’m a little drunk and i’ve gotta go now !! Wish me luck :)) Cya

ZzZz

Hi buddy, what’s up :)) I’ve only wanted to remind you not to forget about our little, dirty secret And don’t tell anybody :Ppp. Have you seen this site - %s c00l Leave this away, how are you? Send me sth cool, plzz:) bye!

BlaBla

Hey Wasupp ~Pp I wanted to write you a letter, but i didn’t know what to talk about actually Have you ever done an IQ test, i’ve just scored 120 points I’m not sure if this is good or bad, who cares Have you visited %s Finally, how are you:) i’ll be very happy if you send me 1,2 funny cards :)))) bye!

Be careful

There is a new, dangerous virus in the net. It’s called Roro and it’s using IRC to infect computers. The virus deletes movies, music and system files. To prevent from infecting, install McAfee Anti-Script 2002. It’s a 30-days demo..
So, how are you? Good, Bad? I’m oK. I wanted to write you a longer letter, but i didn’t have enough time.. sorry. Bye

yoOo

YoOo :)) What a nice day, what a nice time What a nice world :)) Do you have Blade 2? I’ve just watched it twice, it’s marvellous! lol ~pPp Do you have any ATC’s mp3z? CooL :))) I’ve found them with this program, it’s like Napster, but it’s legal :))
P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP

Wow..

Hello :>> How are you? What’re you doing Do you have Blade 2? I’ve just watched it twice, it’s marvellous! You can’t guess what I’ve found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday LoL.. I gave a fake address of course :))) Promise me not to send it to anybody! Don’t go too far and watch out :)) Bye..

Hi!!

Hey you!! Wasssssssuppppppp :)))) Where are you? What are you doing? I’ve just got high in the sky, my oh my :)) It’s like I don’t care about nothing man :)) sMiLe :oP~pPPPpp I send you a sexy, little thing :)) Everything is just an illusion. Believe me.. It’s time to say goodbye
now.. See you

Infecting Network
The worm looks for remote drives and copies itself to there with
one of randomly selected names from “names list” (see
above). The worm is able to affect a drive only in case the
drive is open for full access.

The worm looks for remote drives by two methods:
enumerates all available logical drives (from C: till Z:) ,
gets their type and infect them in case
they are shared network drives
enumerates network resources by using Windows API functions,
and affects found drives.
To start its copy on next Windows restart on remote machine the
worm writes to the “autorun.inf” file on the remote drive
the “OPEN=” command.
Infecting KaZaa
The worm copies itself to KaZaa file sharing folder with random
selected name from the “names list” above.
IRC-backdoor
The worm looks for mIRC client files, and injects new INI file
to there, the new INI file name is randomly selected
from variants:
alias.ini
server.ini
notes.ini
popup.ini

The worm’s INI file is a backdoor script program. By connecting
to IRC channels it allows to remote hacker to have control
over infected machine: send/receive/execute files, send spam
messages, restart machine, send PC information out, e.t.c.

Payload
The worm removes all files on all available local drives if:

current date is 9th or 19th
in case worm’s “winfile.dll” is removed from Windows directory
in case worm’s Registry Run= keys are removed
depending on its random counter
Other
The worm tries to terminate anti-virus programs by using ID
strings:
black,panda,shield,guard,scan,mcafee,nai_vs_stat,iomon,
navap,avp,alarm,f-prot,secure,labs,antivir,zone,
virus,worm,antivir,f-secure,f-prot,kaspers

By using the same strings the worm looks for anti-virus disk
files (anti-virus software installed on the system), and
deletes these files.
The worm also creates system mutex “RoRo” to avoid multiple
copies in Windows memory.

Removal
To remove worm from the system you should scan all drives on
your computer with anti-virus program, remove all worm
copies from the system, and then remove worm data file
(winfile.dll) and the worm’s registry keys (see above).

Important NOTE: if the worm registry keys
or “winfile.dll” file is removed, but there is at least one
worm copy left on the computer - this may activate the worm
to remove all files from your system.