back to the


back to Scott's

Main Virus Info page

visitors since 1/18/99


911 VIRUS self-propogating Java Script

BackOrifice 2000.Trojan (aliases Back Orifice 2000, BO2K)


PrettyPark.Worm (aliases Trojan Horse, W32.PrettyPark)

Remote Explorer (the first true Windows NT virus)

Chernobyl or CIH virus



HTML.Internal, yes a virus which hits web page code

The worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by AntiVirus programs, using the latest virus definitions.

911 Virus: message from the government came from


1. A recent and breaking FBI case has revealed the creation and dessimination of a self-propagating script that can erase hard drives and dial-up 911 energency systems. While investigation and technical analysis continue, the script appears to include the following characteristics:

A. Actively search the internet for computer systems set up for file sharing and print copy itself on to these systems. Warning, for Window Systems this is the default setting. So you must turn it off if you do not share files.

B. Overwrite victim hard drives; i.e., wipe out what you have..

C. Cause victim systems to dial 911 (possibly causing emergency authorities to check out substantial numbers of "false positive" calls.

2. To this point, case information and known victims suggest a relatively limited dessemination of this script - several thousand computers connected through AOL, AT&T, MCI, and Net-Zero. If you have virus and your hard drive survives, you can find it by looking for directories named CHODE, FORESKIN, or DICKHAIR. Further analysis by the FBI/NIPC continues. If your virus protection has been updated since February, 2000, then you should be protected.


BackOrifice 2000.Trojan Aliases: Back Orifice 2000, BO2K (July 11, 1999)

Infects Microsoft Windows 9x and NT

Characteristics: Backdoor Trojan Horse

Description: Back Orifice 2000 is a new version of BackOrifice.Trojan. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. Similar to the original BackOrifice, it consists of two pieces: a server and a client application. However, now both applications are capable of running under Windows NT. The client application, running on one machine, may be used to monitor and control a second machine running the server application. The port number through which the client controls the server is configurable. However, as long as the port is blocked by a firewall, this trojan horse will not be able to infiltrate the server. It does not matter whether the TCP or UDP protocol is implemented. There have not been any reports of this program being able to break through a firewall. 


Worm.ExploreZip contains a very malicious payload- a WORM. The worm e-mails itself out as an attachment in reply to unread e-mail messages it finds in your Inbox. Thus, the e-mail message may appear to come from a known e-mail correspondent in response to a previously sent e-mail.

The e-mail contains the following text:

Hi Receipient Name!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye or sincerely
Receipient Name

You may receive this worm as a file attachment named zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename "Explore.exe", or your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the Explore.exe file is executed each time you start Windows.

ExploreZip utilizes Microsoft Outlook, Outlook Express, and Microsoft Exchange to mail itself out by replying to unread messages in your Inbox. The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drive(s), as well as any mapped drives, each time it is executed. The worm will also search the mapped drives for Windows installations and copy itself to the Windows directory, and then modify the WIN.INI file. This will infect systems without e-mail clients. This continues to occur until the worm is removed.

for more click

PrettyPark.Worm Aliases: Trojan Horse, W32.PrettyPark

This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:


Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server every 30 seconds and connect to a specific IRC channel. This connection can potentially be used maliciously.

WM97/Mimir-A 30

WM97/Mimir-A is a very dangerous Microsoft Word worm.

If you open the document, it will overwrite the four most recently opened documents with a copy of itself. It will then search for all documents in the current directory and in all of its subdirectories and overwrite them also with a copy of itself. When Word is open, the worm displays the caption "MiMiR is giving your computer new intelligence!".

If Microsoft Outlook is installed on the machine, the worm will email itself to all contacts in the contacts' database as an attachment to the message "Some nice jokes you got to read!!".

On September 4 or April 9, it will delete the file IO.SYS from the root of drive C and display the message "...Sorry..MIMIR has infected you PC..."

more about WM97/Mimir-A 30

Remote Explorer

Analysis : Introduction Remote Explorer was discovered on December 17th, 1998 by Network Associates International. The virus had infected multiple workstations and servers at MCI. Remote Explorer (the first true Windows NT virus) must be introduced into a network with Administrator privileges in order for it to be able to replicate throughout. If it does not have Admin rights, it can only infect the files and directories that the current user has access to. With these 2 facts in mind, ICSA Malicious Code Lab believes that this virus was an isolated incident and is not a threat to corporate or home users at this time. How It Really Works If a user with Administrator privileges executes an infected file, the virus will install itself as an NT Service with the name "Remote Explorer". The newly installed service resides on the system as the file "IE403R.SYS" which is located in the "\WinNT\System32\drivers" directory. The virus can modify it's own priority setting within NT, setting it to the lowest priority during the week (Monday-Friday 6AM-3PM) and one notch above lowest on weekends and between the hours of 3PM and 6AM. Remote Explorer can infect files on "remote" or attached drives located on other servers and workstations, provided the Admin account can access these drive shares. When activated the virus will pick a directory at random and attempt to infect all .EXE files in that target directory. Peculiar enough, the virus does not check to see if the .EXE files are truly Win32 files, and therefore some DOS and 16 bit windows apps can become infected (however, will not work after infection). The infection is not stealthed in any way, and a newly infected .EXE file will have grown in size by roughly 125K, a noticeable difference. Any other files found in the target directory are then encrypted with the exception of .DLL and .TMP files. At this time most antivirus vendors have released detection and removal utilities or patches to their products. If you are concerned that you are at risk, we recommend checking with your vendor and obtaining the latest scan engine and signature files.

more on Remote Explorer

Chernobyl or CIH virus

Term projects or other important data. A hardware distributor in Silicon Valley had to replace 80 percent of its workstations. In South Korea, an estimated 240,000 PCs were paralyzed. Why? They were all hit Monday by the CIH virus, also known as Chernobyl. But it didn't have to happen. Software companies have become so good at finding and disabling viruses, these users could have protected their systems had they bought antivirus programs and downloaded the proper patches in time. And came with plenty of warning.

Computer security experts have known about the Chernobyl virus since last summer. Set to strike on the anniversary of the nuclear accident in the former Soviet Union, it can enter a computer and lie dormant until April 26, when it's scheduled to drop its payload. It enters systems running Windows 95 or 98, and it infects applications as they are opened. According to Data Fellows Corp., the CIH has a troublesome activation routine: After affecting a computer's hard drive, it will try to overwrite the Flash BIOS chip. If this succeeds, the machine will be unable to boot at all unless the chip is reprogrammed. An example of this happened at Boston College. The Boston Globe reported that when Patrick Morrissey turned on his laptop Monday morning, the screen read "operating system not found," leaving inaccessible thousands of email messages and a 1,000-word theology paper that was due the same day. Morrissey's roommate, Drew Wetzler, lost eight hours of work he had done for an accounting project, the Globe reported. Morrissey acknowledged using pirated software he downloaded from the Internet. Experts say these are particularly likely to be infected. A Silicon Valley distributor, meanwhile, reported having to replace 40 computers, or 80 percent of its workstations. The company, which preferred to remain unnamed, said that about 20 percent of customers who called from around the country requested new motherboards to replace ones that had been hit by Chernobyl. Across the Pacific, the virus disabled an estimated 240,000 computers in South Korea, according to a report from ZDNN. "Two to 3 percent of 8 million PCs in use domestically are estimated to have been infected," the Information and Communication Ministry said Tuesday. The ministry said antivirus program developers received reports of infection from about 1,000 private companies, 200 government and public organizations, and 300 universities. ZDTV's Luke Reiter observed that the recent outbreak of the Melissa virus may have prompted a lot of people in the United States to update their antivirus software. This may account for the relatively small number of hits reported in this country. But if you've lost data to a CIH hit, you still may be able to recover it. Alex Wellen reported Monday on ZDTV that data-recovery specialists say the CIH doesn't always destroy the data on a computer hard drive, but rather makes a machine believe it has been erased. (Click the television icon to watch Alex Wellen's report.) It does this by eliminating the first megabyte, which includes "roadmaps" the computer uses to find files. Ontrack Data International told Wellen that if your machine has been hit by the CIH, don't lose hope for recovering your data. But what about protecting your machine before the virus hits?

more about chernobyl/CIH


W97M.Melissa.BG, Also known as: ResumeWorm, W97M.Resume.A

W97M.Melissa.BG is a Word 97 macro virus that has a payload of deleting necessary system files. It also sends itself out through e-mail using Microsoft outlook. The subject of the e-mail is "Resume - Janet Simons".

Melissa is an email attachment virus. After being discovered Friday March 27, 1999, it whacked industry heavy weights like Lucent Technologies, Microsoft, Intel, as well as government and military sites. Experts say they've never seen a virus spread so fast (well of course, its using the exponential function 50x). Along with some email, Melissa comes as an attachment. IF YOU DO NOT OPEN THE ATTACHMENT and contact yourt expert, you will be safe.

The virus is known as'Melissa' or W97M/Melissa.A, after the name of the class module that contains the macro virus. (There's no official name, and you'll also see it called W97M_Melissa or W97M.Mailissa.A.)

More Specifically: This new macro virus for Word 97 and Word 2000 that uses Microsoft Outlook (not Outlook Express) to send itself to lots of people very fast and right user your nose. As a result it's spread like wildfire in company email systems and across the Internet - causing havoc in places you would not expect like the home offices of Microsoft Corp. and Intel Corp., among many others.

What does the Melissa virus do? The new "Melissa" virus infects Microsoft Word documents using Visual Basic for Applications -- the built-in scripting language in the Microsoft Office suite. The virus has three main actions:

1.It infects Word and spreads to all Word documents you open.
2.It changes some settings to ease infection.
3.It e-mails itself using Microsoft Outlook, masquerading as a message from you.

When you open an infected Word document, Melissa spreads to your NORMAL.DOT document template. This is where Word stores your custom settings and default macros. By copying itself into NORMAL.DOT, Melissa ensures that your Word installation is infected and any documents or templates you create will get the virus added. It also ensures that the virus code runs every time you open or close a document.

How to protect your self from Melissa!!!

HKEY_Current_User/Software /Microsoft/Office/Melissa? And give is the value: "... by Kwyjibo". If you have this registry key, then that machine has been infected by Melissa at some stage. Note, you might have it even though you do not have this message.

If you receive an e-mail message fitting the following description, you should delete it immediately and advise the sender that they have been infected:

SUBJECT: Important Message From < the name of someone you know>

BODY: Here is that document you asked for ... don't show anyone else ;-)

ATTACHMENT: Aside from that, the advice for protection from Melissa is much same as for any macro viruses. However, these steps are important and should not be ignored. The level of macro-virus protection supplied by Microsoft in its products is rudimentary, so you have to take your own precautions.

First, make sure Office's built-in macro guards (such as they are) are turned on:

Word 97: go to the menu option Tools | Options | General | Macro virus protection and put a check in the box.

Word 2000: go to the menu option Tools | Macro | Security and make sure the Security Level is set to medium or high. The dialog box explains what each of those settings means.

This isn't complete protection -- all it does it give you a warning when a document or template you open has a macro in it. The macro may, or may not, be a virus. Word 97 gives you no idea what they are -- just the choice to Enable or Disable the macros. Unless you are absolutely sure the document doesn't have a virus, you should click on "Disable Macros." This will open the document but not run any macros, good or bad. Alternatively, you can click on the Cancel button, which closes the document, and then run your updated anti-virus software over the document to see if it has any viruses.

MORE about Melissa

Picture.exec is not a virus, it is a Trojan that was sent out between Christmas and New Year 1998. The Trojan was also posted to several newsgroups and spammed to users as an email attachment. After the user runs the picture.exe program the Trojan creates a file in the windows directory called note.exe and adds a run statement in the win.ini to run note.exe the next time windows starts up. The next time the user starts windows the Trojan attempts to send filenames, URLs recently visited and AOL username and password to an email address ( and

MORE about Picture.exec

HTML.Internal is a "proof of concept virus" and is (at this time) the fourth known HTML infecting virus. This particular virus however, is the first of this type that does not simply overwrite or require a 'companion file'. The virus code searches for .htm and .html files on the local drive (users machine) and infects them once found.

The virus itself is written in Visual Basic Script (VBScript) a language that allows for "active content" on web pages (similar to javascript). Due to the ActiveX objects that HTML.Internal uses, the virus will only be able to execute under IE40 and above. A Windows 95 and NT system must have Windows Scripting Host (WSH) installed (available from Microsoft). WSH is installed by default with Windows 98.

MORE about HTML.Internal