Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Thonic. Viruses Information

Name: I-Worm.Thonic.
Category: Viruses
Description: Details
I-Worm.Thonic.b

This worm spreads via the Internet as an attachment to infected files. The worm itself is a Windows PE EXE file. The body of the worm is encrypted and 7502 bytes in size.
The worm searches for PE files with the extensions .exe, .cpl, and .scr.
When infecting these files it writes itself to the end of the files in a section named .DCUbLmd
It does not infect already infected files.
The worm's code contains errors. It is unable to propagate independently.
A VBS script controls propagation via email. The script is 875 bytes in size, and saved as C:\cthonic.vbs
The executable file infects notepad.exe, and copies itself to the C: root directory as C:snowboard_accident.avi.[75 spaces]exe
It then executes the script to mail the file snowboard_accident.avi.[75 spaces]exe.
The worm contains the following text:
-=[YoG-SoTHoTH]=-
The Ancient Ones are near !!! Fear not these latter days of humanityall
Created by -=[YoG-SoTHoTH]=- on Sept2003
HEX EDITING BIATCHs.......FUCK OFF !!!
Win32.CthonicWorm.1a by -=[Azag-TH0TH]=-
It changes the system registry
[SOFTWAREMicrosoftWindowsCurrentVersionRun]
to ensure that the body of the worm is launched every time the system is started.
Infected messages:
Subject:
Hey check out this funny video my friend sent me !
Message body:
Mail Body
Attachment name:
C:snowboard_accident.avi.[75 spaces]exe
The worm is activated when the user launches the infected file by clicking twice on the attachment. Once this is done, the executable system files will be infected.
The worm uses Windows MAPI function to send messages.
Mass mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.
It also propagates via mIRC.



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Voyager2.50
Die.66
Avalon.81
Rasek.149
Macro.Word97.Trojan.Thie
Attention.39
Strik
BAT.HexViru
I-Worm.DragonBal
ByteWipe.120


 

© 2006-2008 spyware32.com - Privacy Policy