Worm.Terno
Details
Worm.Ternop
This is a worm virus spreading under DOS. The worm file itself is an encrypted 2.5Kb DOS COM program. When it runs, it copies itself into Windows\COMMAND directory with a random 8-bytes name, for example:
QNLKKLNQ.COM
JIIJLOSK.COM
YPETEDUM.COM
The worm affects the Windows directory wherever it is placed - the worm tries all variants from C:\WINDOWS till Z:\WINDOWS.
The worm then modifies the SYS.COM file (copy system files to target drive) so that the worm copies itself to the disks that are SYS-ed. To do that the worm renames the SYS.COM file with the SYS.OLD name and creates a companion SYS.BAT file that contains a set of Batch instructions. These instructions when activated rename to COM and run the original SYS.COM file, and then copy the worm code to target drive.
The worm then looks for RAR archives in the directory tree on the current drive, and adds its copy to their contents. The next victim of the worm is the Maximum BBS, if it is installed on the computer. The worm scans the drive directories for FILES.BBS files, and creates its copies in such directories. The worm then “registers” its copy in the FILES.BBS file - adds a reference to its file and a short description in Russian, like “From 2xx to 300MMX”, “New Internet cracker”, “Speed-ups modem by 30%”, e.t.c.
The worm does not manifest itself in any way, it contains the texts:
Ternopil Worm
Misdirected Youth
Related Posts