A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
S letter viruses. Scroll down the page to view or choose from the names below:
Shockwave | Ska |
Sonic | Strunkenwhite
Shockwave
If you are unable to find a description for a particular virus, please contact me or post a message in the forum. Ska
Sonic
The Sonic worm then downloads files from a GeoCities website. These files include LASTVERSION.TXT which describes the latest version available, nn.ZIP descrbing the latest version of the main component (the value nn is obtained from the LASTVERSION.TXT file) and GATEWAY.ZIP which is the latest version of the Loader component. The .ZIP files are actually encrypted Windows EXE files. The Loader portion decrypts them and copies them to the Windows directory. The Main component, which also provides limited backdoor access capabilities, is copied to the Windows directory as GDI32A.EXE and the registry is modified accordingly. The worm then accesses the user's Address Book and sends iself to the addresses listed therein. Two such attachments are described below:
Subject: Choose your poison
Subject: I'm your poison
Strunkenwhite
If you are unable to find a description for a particular virus, please contact me or post a message in the forum.
Aliases: Troj_Shockwave, Pro-Linux, Creative
Type: Email worm and Trojan
Systems Affected: Windows 32-bit systems
Payload: Renames .JPG and .ZIP files, then moves them to the root of the local drive (C:\).
ITW: Yes
Origin:
Description: Spread via email as an attched file named CREATIVE.exe. The body of the email reads:
“Check out this new flash movie that I downloaded just now ... It’s Great
Shockwave then drops a text file, MESSAGEFORU.TXT, which reads as follows:
Bye”
“Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin.”
Shockwave then mass mails itself to all the recipients in the infected user's address book, after which it sends an email to the presumed author, with the subject: "Job complete". The message body of that email reads, "Got yet another idiot.”
What to look for: Search for MESSAGEFORU.TXT or CREATIVE.EXE
How to prevent it: Do not open attachments received unexpectedly even if from known senders. Most email worms take advantage of the infected user's address book, and thus email worms are most likely to be received from a known source.
Aliases: Happy99, Spanska, W32.Ska
Type: Email worm
Systems Affected: Win 95, 98, NT, 2000
Payload: No
ITW: Yes
Origin:
Description: Each time the infected user sends an email or posts to a newsgroup, the worm composes and sends a second one with no text but carrying an infected attachment of itself.
What to look for: Check the Windows\System directory for the presence of SKA.EXE and SKA.DLL
How to prevent it: Do not open attachments named Happy99.exe. Do not open any attachments that were unexpected - regardless of source.
Aliases:
Type: Email/Internet Worm
Systems Affected: Windows 32-bit systems
Payload: Worm contains upgrade ability, thus functionality could vary
ITW: Yes
Origin:
Description:Sonic travels as an attachment to email messages. If executed, the worm registers itself as a hidden service and copies itself to the Windows\System directory as GDI32.EXE. It also modifies the Run Key in HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run adding the value GDI=path\GDI32.EXE (where path signifies the path to the Windows\System directory). While doing this, the worm displays a message box titled Girls.Exe and displays a message in French, which loosely translates to "this is not a valid Windows application".
which contains the attached filename GIRLS.EXE.
and
which contains the attached filename LOVERS.EXE
What to look for: Search the registry for the modification described above. Search the Windows\System directory for the file GDI32.EXE and/or GDI32A.EXE (Note that these filenames are very similar to other legitimate files in the Windows\System directory, so search for the exact name).
How to prevent it: Do not open any attachments received unexpectedly, even from known sources. Use up-to-date antivirus software, save and scan attachments before opening.
Type: Hoax
This is a hoax. Consult the Hoax Encyclopedia for information on this and other virus hoaxes.
Aliases:
Type:
Systems Affected:
Payload:
ITW:
Origin:
Description:
What to look for:
How to prevent it:
Aliases:
Type:
Systems Affected:
Payload:
ITW:
Origin:
Description:
What to look for:
How to prevent it:
