W32.Alcarys@mm
Discovered on: February 14, 2002
W32.Alcarys@mm is a mass-mailing worm that also overwrites files and infects Microsoft Word documents. (For information on the Word document infection, please refer to W97M.Pacol.A.)
Type: Worm
Infection Length: 12,288 bytes

Payload:
Large scale e-mailing: Mass Mails itself to all recipients in the Outlook Address Book
Deletes files: overwrites ".htm", ".scr", ".com", and ".exe" files
Compromises security settings: Disables Microsoft Word2000 Security settings
Distribution:

Subject of email: sounds of sex and other stuffs
Name of attachment: SexSound.exe, Readme.txt, http://www.EcstasyRUs.com, and syra.scr
Size of attachment: 12,288 bytes

Technical description:
When W32.Alcarys@mm is run, it does the following:
1. It sends itself to all contacts in the Microsoft Outlook address book. The email has the following characteristics:
Subject: sounds of sex and other stuffs
Message: ....Hear me and my girlfriend moan...We spent yesterday's night having sex... I've also included a list of haiku, a cool talking screensaver and a link to a site offering cheap ecstasy pills.. enjoy..

http://www.symantec.com/avcenter/ven...lcarys@mm.html

W32.HLLO.6144
Discovered on: February 14, 2002

W32.HLLO.6144 is a virus that overwrites all .com, .exe and .scr files in all folders.
Type: Virus
Infection Length: 6144
Damage: High
Payload: Overwrites files
Technical description:
W32.HLLO.6144 is written in a high-level language. When it is executed, it searches for all .com, .exe, and .scr files in all folders on the hard drive. It then replaces these files with an exact copy of itself. The replaced program files are not repairable.

http://www.symantec.com/avcenter/ven...hllo.6144.html



IRC.Worm.Ceyda
Discovered on: February 14, 2002

This is an IRC worm that sends itself to others using IRC. It allows an attacker to gain control of an infected system.

Also Known As: IRC-Worm.Ceyda.6574, mIRC/Ceydem.6953/6966, pIRCH/Ceydem.6966
Type: Worm
Infection Length: 6,574 bytes
Threat Assessment: Low
Technical description:
This worm is an encrypted DOS executable file. When it is executed, it does the following:
1. First, it decrypts itself.
2. It then creates the Winstart.bat file in the C:\Windows folder.
3. Next, it creates the C:\Windows\Windowsuser2 folder, and copies itself to that location.
4. It then executes the batch file. The batch file makes another copy of the worm in the \Windowsuser2 folder with the file name CeydaDemet___TurkishGirl.JPG.com.
5. It also creates a Script.ini file in the C:\Mirc folder. The worm replaces certain commands in the Script.ini with commands to format the hard drive and to send itself to others.

http://www.symantec.com/avcenter/ven...orm.ceyda.html


W32.Valcard
Discovered on: February 14, 2002
W32.Valcard is a simple mass-mailing worm that copies itself to C:\Windows\System\ValentineCard.exe. It sends itself to all recipients in the Microsoft Outlook address book. It also creates and runs the file C:\Evil.jpg.

http://www.symantec.com/avcenter/ven...2.valcard.html