Main Menu
Home
Bookmark
Contact Us



 
I-Worm.Horillk Viruses Information

Name: I-Worm.Horillk
Category: Viruses
Description: Details
I-Worm.Horillka

This malicious worm spreads via the Internet in the form of a file attached to infected messages. It is an encoded VBS script of 25562 bytes.
When downloaded Horilka decrypts itself.
It copies itself to the Windows system directory under the name WinSys32dll.vbs, and registers this file in the system registry autorun key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWinSys32dll.
The virus mass mails all addresses found in the Microsoft Outlook address book.
Characteristics of infected messages:
Message header:
Внимание!
Message body:
Выпущено новое vbs обновление для поиска вирусов в памяти ОС Windows!
Оно помогает бороться с вирусами, рассылающимися по почте.
Антивирусный модуль написан на скрипт-языке, что помогает перехватывать
vb и js вирусы, прежде чем они начнут деструктивную деятельность.
Достаточно открыть файл и программа по устранению вирусов проведет поиск
вредоносных программ в памяти компьютера.
Attachment:
a VBS script,
WinSys32.dll.vbs
Once messages have been sent, the virus sends its author a message which includes all .pwl (password) files found in the Windows directory.
Messages are sent once, when each user's configuration is loaded.
The virus copies itself to all disks and all directories under the name of Folderdll.vbs and marks these files as hidden.
It searches the Windows folder for files with the following extensions:
.vbs
.jpg
.jpeg
.gif
.bmp
.htm
.html
.avc
.txt
.doc
.mp3
.wav
.dbf
Horilka overwrites .vbs files with its own code.
It replaces .jpg, .jpeg, .gif and .bmp files with a GIF format graphic contained in the body of the virus.
It adds the following code to .htm and.html files:

.avc files are overwritten with the phrase:
Vyatka was here
.txt and .doc files are overwritten with the following text:
Уважаемые господа! Вас хакнул вирус из Вятки - задницы России.
Dear friends! You was hacked by virus from Vyatka (situated in deep ass of Russia)
..:: Xpi1oT ::..
.mp3 and .wav files are replaced by sound files contained in the body of the worm
If the worm finds any files with a .dbf extension, it deletes them
The virus is coded to display the announcement:
COOOOOOOOL
on 11th December every year, and to overwrite the autoexec.bat file with the following text:
@Windows upgrading your systemall
@Please wait
format c: /autotest /q /u
@Please wait...
format d: /autotest /q /u
@Your system was hacked by virus from Vyatka (situated in deep ass of Russia)
Once this takes place, the system will reboot, resulting in formating of the C: hard disk.



Top Viruses Visited Pages:
Baboo - 674 visits
Invader. - 537 visits
Firstling.199 - 262 visits
Macro.Excel.Hidemo - 241 visits
Spartak.110 - 234 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 232 visits
Worm.P2P.Harex. - 224 visits
Coito.64 - 223 visits
Small.58. - 213 visits
DDoS.Win32.Kozo - 195 visits

Random Viruses Pages:
Macro.Word.Mensage
Macro.Word.Ocho
VLAD.Daddy.111
Jorgen.65
CD_Joke.84
TrojanProxy.Win32.Webber.
Constructor.Macro.Word97.Nightmar
Spanska_II.425
Revenge.112
Simbiot famil


 


╘ 2006-2008 spyware32.com - Privacy Policy