Friday

ANXIETY VIRUS

Information about the Anxiety virus:

This virus infects Windows 95 and Windows 98 Executable (EXE) files. The virus stays in memory and it will infect all Windows EXE files that are executed or copied.

Anxiety virus changes the mouse pointer to look like a syringe whenerver an infected program is run.

Anxiety virus first appeared in November 1997 and it is in the wild.

Variants of Anxiety virus:

Anxiety.A and Anxiety.B:

Anxiety.A and Anxiety.B are similar to Anxiety virus but they do not change the mouse cursor. The text contained inside the virus code in these variants also differs from the Anxiety virus.


Other names of Anxiety virus:
This worm is also known as Win95/Anxiety, Harry

posted by jasdeep_grover26 @ 3:37 AM   0 comments

BABYLONIA VIRUS

Information about the Babylonia virus:

This is the first virus that is capable of infecting Windows Help (HLP) files. This virus has capabilities of both virus and trojan. Babylonia virus infects 32 Bit(PE) executable (EXE) and Windows help (HLP) files under Windows 95 and Windows 98. It does not work under Windows NT. Once the infected file is executed it stays in memory. The virus infects the target files when they are accessed. The size of the file will be increased during the infection. This virus infects Windows help files by inserting its code in the system area of the help files.

This virus patches WSOCK32.DLL file similar to Happy99 trojan. Because of this Babylonia will be able to intercept email message sent out and the virus will attach an infected file to the messages sent. The attachment will be named as X-MAS.EXE

When the virus is run for the first time it copies a file called BABYLONIA.EXE to the root directory of C drive and executes it. This file will then be copied to the \windows\system directory as KERNEL32.EXE. The Windows registry will be modified to run this file as a service every time the computer is re-started. The registry key that is modified is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The virus also has a unique capability of downloading further components of itself from a web site in Japan. The web site can be configured to deliver additional features to the virus.

Babylonia first appeared in December 1999 and it is reported to be in the wild.


Other names of Babylonia virus:
This virus is also known as W95.Babylonia.

posted by jasdeep_grover26 @ 3:35 AM   0 comments

Thursday

CIH VIRUS

Information about the CIH virus:

Win95.CIH (Also known as CIH, Spacefiller, Win32.CIH) is a new virus that infects 32-bit Windows 95, Windows 98 and Windows NT executables files having the .EXE extension. When an infected program is run in a Windows 95 or Windows 98 computer, it infects the computer and becomes memory resident. The infected program will not work properly on a Windows NT computer. Once the virus becomes memory resident, it infects all the 32-bit EXE files opened. So the virus spreads to all files executed and also copied. The size of the virus code is quite small and it is about 1000 bytes. The virus will not increase the size of the infected file. It uses an unique method to copy its code to the infected file. It fills up the unused space available in the 32-bit EXE file (PE format) with its code. If the virus can not find a single continuous large enough empty space to copy itself, it will slice itself up to many pieces and place them in the smaller empty slots. This virus is also known as Win95.Spacefiller for this behaviour. The virus alters the header entry point to the beginning of the virus code and builds the broken up parts to one piece of code when the EXE file is run. The virus code contains the text "CIH", so it gets this name.

Win95.CIH virus has a dangerous payload that will trigger on the 26th of April or any month, depending upon the variant of the virus strain. This virus can damage the contents of the BIOS flash memory chip. Most of the new computers sold (80486 and later CPUs) have their BIOS programmed into the flash memory chips. Win95.CIH writes garbage to the flash memory chip if the chip is write-enabled. Many PC manufacturers leave the flash memory chip write-enabled. If this happens the computer will become unusable until the contents of the chip are restored or the motherboard is replaced. After damaging the BIOS the virus also makes the data in all the hard disks unreadable. Win95.CIH bypasses all types of BIOS protection mechanisms to do its destructive job. Because of these characteristics this is surely one of the most damaging virus.

CIH virus first appeared in June 1998 and it is in the wild.

Variants of CIH virus:

There are three variants (1.2, 1.3 and 1.4) of Win95.CIH virus. These variants can be identified from the text string present in the virus code. The variants 1.2 and 1.4 are reported to be in the wild and spreading. Win95.CIH.1.2 and 1.3 do the damage on 26th of April only and Win95.CIH.1.4 does it on the 26th every month. Win95.CIH.1.4 is also the most frequently reported variant.


Other names of CIH virus:
This worm is also known as Win95/CIH and Space Filler.

posted by jasdeep_grover26 @ 2:53 PM   0 comments

HPS VIRUS

Information about the HPS virus:

This virus infects Windows 95 and Windows 98 Executable (EXE) and Screen Saver (SCR) files. The virus stays in memory and it will infect all Windows EXE files that are executed or copied. HPS is a polymorphic virus. This virus also tries to hide from anti-virus programs by deleting the data files created by those programs.

HPS virus changes the display of non-compressed bitmap (BMP) files by flipping the image sideways on every Saturday.

HPS virus is not in the wild.


Other names of HPS virus:
This worm is also known as Win95.HPS and Hanta

posted by jasdeep_grover26 @ 2:10 PM   0 comments

LOVESONG VIRUS

Information about the Lovesong Virus:

This virus infects 32 bit Executable files under Windows 95, Windows 98. This is a memory resident virus. When an infected file is run, it stays in memory and infects other executable files.

The virus copies its code to the last section of the file and change the entry point to that particular location. This contains a string LOVE in its code.

It plays a song on the 1st of any month from March 2000 onwards.

Lovesong virus first appeared in March 2000.

Other names of Lovesong:
This virus is also known as W95/Lovesong.998.

posted by jasdeep_grover26 @ 2:09 PM   0 comments

Win95/Elkern.B virus

Information about the Win95/Elkern.B virus:

This virus infects Windows 98, Windows Me, Windows 2000 and Windows XP computers. Win32/Klez.E worm is the carrier of this virus. Upon execution of the attachment containing Klez.E worm, the Win95/Elkern.B gets activated. It looks for open shares in the network and infects other computers in the network also.

The file WQK.EXE can be of variable size because of its polymorphic behaviour. The virus infects any executable file at randomly. It makes the registry changes as mentioned in the WIN32/KLEZ.E information page.


Other names of Win95/Elkern.B virus:
This worm is also known as W95/Elkern.B, PE_Elkern.B.

posted by jasdeep_grover26 @ 2:05 PM   0 comments

INCA VIRUS

Information about the Inca virus:

This virus infects Windows 95 and Windows 98 Executable (EXE) files, Screen Saver (SCR) files, boot sector of 1.44 MB floppy disks and the compressed archives like LHA, LZH, PAK, ZIP, ARJ, RAR files. The virus stays in memory and it will infect all the above mentioned types of target objects when they are accessed. Inca virus is polymorphic and multi-partite.

When the infected program is run Inca virus creates a VXD (driver) file containing the virus code in the WINDOWS\SYSTEM directory and makes an entry in the SYSTEM.INI file to load the VXD. This file will be loaded when the computer is booted and the virus will stay in memory till the computer is shut down.

While the virus is active in memory it puts its dropper files in the COM format inside all the compressed archives and in the boot sector of floppy disks. It also tries to spread through mIRC.
Inca virus first appeared in December 1998 and it in the wild.


Other names of Inca virus:
This worm is also known as Win95/Inca, Fono and El Inca

posted by jasdeep_grover26 @ 2:04 PM   0 comments

PADANIA VIRUS

Information about the Padania virus:

This virus infects Windows 95 and Windows 98 Executable (EXE) files. The virus stays in memory and it will infect all Windows EXE files that are executed or copied.

The infection method of Padania virus is slightly different from the other Windows 95/98 viruses. It looks for a JMP instruction near to the beginning of the EXE file and alters it to point to its code. The virus code in the infected file gets control only when this JMP instruction is encountered while execution. For this reason some infected files may not be able to infect the computer and replicate further.

Padania virus is in the wild.


Other names of Padania virus:
This worm is also known as Win95/Padania.

posted by jasdeep_grover26 @ 2:02 PM   0 comments

MARBURG VIRUS

Information about the Marburg virus:

This virus infects Windows 95 and Windows 98 Executable (EXE) and Screen Saver (SCR) files.

Marburg is a complex polymorphic virus. It does not infect many anti-virus software programs to avoid detection.

Marburg will be infecting quietly for 3 months from the date of first infection. After 3 months, depending upon the time of execution of an infected file, Marburg will display the Windows error icon (the red cross) all over the screen.

Marburg virus first appeared in July 1998 and it is in the wild.

Other names of Marburg virus:
This worm is also known as W95/Marburg, Marburg.a and Marburg.b.

posted by jasdeep_grover26 @ 2:00 PM   0 comments

SPACES.1445 VIRUS

Information about the Spaces.1445 Virus:

Spaces.1445 virus infects Executable files under Windows 95, Windows 98. This is a memory resident virus. When an infected file is run, it stays in memory and infects other executable files. The virus copies its code to the last section of the file. It increases file size by 1445 bytes.

It carries a payload. If the current system date is June 1st then it modifies the MBR of the hard disk. This causes data loss and making system un-bootable.

Spaces.1445 virus first appeared in December 2000.

Other names of Spaces.1445:
This virus is also known as W95/Spaces.1445.
.

posted by jasdeep_grover26 @ 1:57 PM   0 comments

WEIRD.10240 VIRUS

Information about the Weird.10240 virus:

Weird virus infects Executable files under Windows 95, Windows 98. This virus is a part of a remote control application, which consists of server,client and virus dropper programs. The server program carries virus. When an infected file is run under Windows 95/98 the server program will be copied to Windows folder. It will be copied as ozq-ozfds2.exe (Under Windows 95) and kzswoh.exe (Under Windows 98). It copies EXPLORER.EXE as EXPLORER.A and infects the same. It copies EXPLORER.A as EXPLORER.EXE during the next boot using WININIT.INI file. After next bootup server program hides in the memory and infects other executables.

Using any system which is running the client program, infected machine can be controlled. Using client program even the virus in the infected machine can be cleaned.

Weird.10240 virus first appeared in July 2000


Other names of Weird.10240 virus:
This virus is also known as W95/Kuang.gr.

posted by jasdeep_grover26 @ 1:54 PM   0 comments