The in-depth knowledge of dangerous viruses that can destroy, anyone system | How to protect system | History, and origin of these viruses | Top 10 viruses of all time |Cryptolocker, ILOVEYOU worm, etc.

The top 10 most dangerous viruses of computer world all-time… || How to Prevent your system from it.


1. CryptoLocker

What is CryptoLocker?

CryptoLocker is now a popular piece of malware that can seriously damage any data-driven organization. Once the code is activated, it uploads files to computers and partitions of the network and “treats them as a ransom”, encouraging any user who tries to open a file to pay a fee so that they can download it. For this reason, CryptoLocker and its variants have become known as “rescue.”

Malware-like CryptoLocker can access a secure network through multiple channels, including email, file sharing sites, and downloads. New varieties have successfully eliminated anti-virus and firewall technology, and it is reasonable to expect that more will continue to emerge who are able to break through security measures. In addition to reducing the limit of what a malicious host can damage by using affected access controls, investigative and repair controls are recommended as the next line of protection.

What about CryptoLocker?

When done, CryptoLocker initiates a drive scan on the networks that the home keeper connects to folders and documents (see file types), and renames and encrypts what you have permission to modify, as determined by the code user credentials.

CryptoLocker uses an RSA 2048-bit key to encrypt files and renames files by adding an extension, such as .encrypted or .cryptolocker or. [7 random letters], depending on the variant. Finally, the malware creates a file in each relevant directory that links to a web page with decryption instructions that require the user to pay (e.g. with bitcoin). Tutorial file names are usually DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.

As new diversity is revealed, details will be added to the Varonis Connect interview at Royalware. For example, a variant known as “CTB-Locker” creates a single file in the directory where it begins to encrypt files, named,! Decrypt-All-Files- [RANDOM 7 chars] .TXT or! Decrypt-All-Files – [RANDOM 7 chars] .BMP.


How to disable CryptoLocker…

The more files a user account has access to, the more road damage can cause. Restricting access is a course of understanding, as it will reduce the limit of what can be encrypted. In addition to providing a malware protection line, it will reduce potential exposure to other attacks from internal and external actors.

While access to the minimal right model is not a quick task, it is likely to reduce immediate exposure by removing non-accessible global groups from access control lists. Groups such as “Everyone,” “Certified Users,” and “Domain users,” when used in data containers (such as folders and SharePoint sites) may disclose all hierarchies to all users in the company. In addition to the easy intentions of theft or misuse, these undisclosed data sets may be vulnerable to malware attacks. On file servers, these folders are called “open shares,” if the file system and sharing permissions are available through a global access group.

While it is very easy to use technology designed to find and remove global access groups, it is possible to see open shares by creating a user who is not a member of the group, and by using account authentication that “scans” the file-sharing environment. For example, even basic commands from the windows cmd shell can be used to optimize and test accessibility shares:

net view (including nearby athletes)
full view \ host (access to shares)
use of X X: \ host share (drive to share)
dir / s (lists all user-readable files under assignment)
These commands can be easily integrated into the batch text to identify easily accessible folders and files. Removing this without automation, unfortunately, can be time-consuming and risky, as it is easy to compromise a normal business activity if you are not careful. When specifying a large number of folders available, consider.


2. PlugX

Take a deeper Dive into the plugX Malware…

In June 2017, Palo Alto’s team Threat Research Threat Research published an excellent blog post with a new version of the malware family, also known as “Korplug.” Curious to find out more about this new variant, I started digging and found that there were many new samples of “plugX v1.” This is not surprising given the fact that the developer of a single version of the malware has been available for many years publicly. However, this only piqued my curiosity. I decided to look at where these old samples were used and whether there was some guidance. With regard to malware detection, it is always exciting to see the old code being duplicated or reused in new attacks and campaigns, as seen in the rise of Shamoon Malware in 2016.

History of plugX Malware…

The malware family of plugX is best known to investigators, with samples dating back to 2008, according to Trend Micro investigators. PlugX is a fully-featured Remote Access / Trojan (RAT) tool with features such as file uploads, downloads, and conversions, keystroke login, webcam control, and remote access to cmd.exe.

Until recently, different versions of plugX malware maintained consistent encryption, configuration, and persistence – without the appearance of a tool developed over the years. In 2014, there was a resurgence of this malware family, making it the most widely used family that year, according to Crazystrike’s Global Threat Report released in February 2015. Changes in command and control (C2) options contributed to this recurrence because malware the authors used a new DNS C2 method that made it difficult to get traffic.

Until the end of 2016, the most common method of infection with plugX was the same: Malware uninstallation was commonly introduced through a criminal campaign to steal sensitive information, either as a RAR (SFX) archive, archive link, or embedded in archive documents. This history contains three files that make up the plugX elements. An example of these three items is as follows (RAR archive with SHA-256 hash 1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0:

Although the above sample used the NVIDIA program, many plugX samples of this standard application are compatible with complaints about antivirus or various other security products. Because this implementation is signed, legitimate applications, security products that cannot be tagged. In addition, the use of antivirus-related resources may be to take advantage of the product’s final wear.

There has been a lot of extensive analysis of the plugX variety above in recent years, as shown by the long – and yet incomplete – references in the Appendix to this post, so I will not be re-analyzing it in full. However, a brief overview of the “Original” or “classic” plugX approach is available below.


Classic Killing PlugX Kill…

Below is a demonstration of how to kill plugX variants of plugX – many variants almost follow this method, but there are some deviations. The flow of murder continues as follows:

Three plugX components are archived into a temporary directory in the system.
A formal, signed plan is developed and the risky DLL is categorized.
DLL decrypts loads and downloads file uploads.
The molded shell is incorporated into the official system process.
Note: This step is done in different ways (injection code, folding process) depending on the specific variations of plugX, but the basic method is the same.
The Windows installation process includes C2 / plugX functionality.

Core plugX Malware Functionality Evolves
In 2013, a number of basic malware plugX functionality improvements took place, including the addition of new C2 policies, encryption, and installation methods. Airbus investigators are analyzing.


3. Zeus Gameover

All You Need to Know About Notified Zeus Gameover Malware…

How does Zeus Gameover work?

First of all, this variation of malware creates a real problem, because it constantly monitors data on your network or PC, which is identified as important, either by authentication commands or by prefixed algorithms.

Typically, Zeus infections look for personal information, credit card details, customer details, or private company information.

Once Zeus P2P finds out what he wants, he will be able to send that information to other peers on his network, anywhere in the world. This means that data from your internal network can be transferred from one network to another, which is also in the Zeus P2P network. This computer is available anywhere.

The diagram below shows a simple view of Zeus P2P communication.

Firefighters, Proxy Servers, Traffic Scanners, and Antivirus, the right break to protect your company?

If your company is using a Firewall or Proxy, as shown in Figure 1, you have good protection if your representative is updated and knows what to look for. Most likely, it is not, because Zeus Gameover communicates with other companies with IP addresses that you do not want to block because that would prevent your employees from working.

Prohibition at the representative level would mean imposing broad restrictions on the organization. This will lead to less productivity for your entire organization, not just an infected computer. Now you may be thinking, “how much can we stop you?”.

Well, really, a lot! Thousands of existing companies have been infected with Zeus P2P and as many as 1.2 million computers were infected before Zeus was released.

That number is low now, but they can easily pick up if the infrastructure is built and more computers are infected, so you will be blocking too much.

A similar problem arises with road scanners as in note 2, which operate at the company level, as they block all IP levels or DNS distances.

If you are a small company just using an antivirus solution, gateway, or firewall, as in every 3rd note, you are simply more exposed to the risk of Zeus P2P, because it will pass straight through your security measures. See the difference between antivirus and antimalware and how they should work together.

Regarding notes 1 and 2, although not related to Zeus Gameover, I wish to give you an example of the same problem that antivirus makers face, to give you a picture that you might be related to.

Some antivirus manufacturers have a similar problem with a wide-ranging business block, where they block all websites, instead of the malicious content found by their scanner on a given website. These false “positives” result in your company being banned from using the services on official websites, which could be anything from the government to the private sector.

Now, why is it so hard to protect yourself from Zeus P2P Gameover?

Yes, first of all, a very persistent threat, which attacks networks with low adoption rates, due to its polymorphic nature.

Second, once logged in it is difficult to remove a client infection, thanks to a new version of Gameover, which contains the Necurs rootkit. This sometimes means that the easiest way to get rid of a problem is to erase the infected client. However, the chances are that it will be infected again.

Third, once inside Zeus will be able to easily communicate with other peers or seek out new ones if those on the default list are not available. If that also fails, Zeus will turn to his DGA (Domain Generation algorithm) to find peers.

Why is it impossible to block Zeus traffic at that time?

Yes, as described above, if you block at the company level, you will be blocking all domains or IP addresses, infected by Zeus. First, obtaining data on who is infected is more difficult and requires a second To stop it.

Zeus Gameover

4. Stuxnet

All about Stuxnet

Stuxnet is an extremely sophisticated computer worm that exploits many of the dangers of Windows zero-day malware infecting computers. Its purpose is not just to infect PCs but to cause real global physical effects. Specifically, it targets the centrifuges used to produce rich uranium enabling nuclear weapons and missiles.

Stuxnet was first identified by the public prosecutor in 2010, but its development may have begun in 2005. Despite its unparalleled distribution power and high infection rate, Stuxnet does little harm or damages computers that are not involved in uranium enrichment. When installing a computer, it checks to see if that computer is connected to certain models of programmable controllers (PLCs) manufactured by Nokia. PLCs are the means by which computers communicate and control industrial equipment such as uranium centrifuges. The caterpillar alters the system of PLCs, resulting in inches being tampered very quickly and for too long, damaging or destroying sensitive equipment in the process. While this is happening, PLCs tell the computer that everything is fine, making it difficult to find or see what is wrong until it is too late.

Who built Stuxnet?

It is now widely accepted that Stuxnet was created by spy agencies in the United States and Israel. The program developed to develop the caterpillar was given the code name “Performing Olympic Games”; was started under President George W. Bush and continued under President Obama. Although no government has officially approved the development of Stuxnet, a 2011 video designed to celebrate Israel’s Defense Head Gabi Ashkenazi is listed by Stuxnet as one of the achievements under his watch.

While the engineers working behind Stuxnet were not identified, We know they were very talented, and that there are a lot of them. Roel Schouwenberg, of Kaspersky Lab, estimated that it took ten years to take coders for two to three years to create a caterpillar in its final state.

Other worms with infectious skills such as Stuxnet, including those called Stu and Flame, have been identified in the wild, although their intentions are very different from those of Stuxnet. Their similarity to Stuxnet leads experts to believe they are a product in the same development store, which is obviously still in operation.

What is the purpose of Stuxnet?

The U.S. and Israeli governments had intended Stuxnet as a tool to reduce, or at least delay, the Iranian nuclear weapons program. The Bush administration and Obama believed that if Iran came close to exposing nuclear weapons, Israel would launch airstrikes against Iran’s nuclear facilities in the wake of a possible regional war. The Olympic Games Operation was seen as an unfair alternative. While it was not clear if such a collision with the natural infrastructure as possible, there was a major meeting in the White House Situation Room late in the Presidency where pieces of the destructive test were spread on the conference table. It was then that the U.S. assigned the header to identify the malware.

Stuxnet has never intended to broadcast across the Iranian nuclear power plant in Natanz. The facility was connected to the air and was connected to the internet. That meant it had to be infected with USB sticks that were routed internally by spies who did not like it, but it also meant that it should have been easier to get infected with the virus. However, malware eventually became infiltrated by computers connected to the Internet and began to spread in the wild because of its very large and aggressive nature, although it meant that it did little damage to the outside computer it was infecting. Many in the U.S. They believe that the broadcast was the result of an altercation by the Israelites; Deputy President Billen is said to be upset.


5. Mydoom

What is MyDoom Virus?

The MyDoom virus, also known as Novarg, is another worm that can develop a backdoor in a victim’s operating system.

The MyDoom email worm family continues to be a threat due to unprotected human computers and sensitive computer programs even though the virus was scheduled to shut down in February 2004. Due to existing infections, MyDoom developers can still install a large computer network at any time. Viral experts suggest that travel instructions sent to infected machines may allow them to commit offenses ranging from the blockade of Internet traffic and creating huge financial upheavals in companies and banks. Almost every week, new versions of MyDoom e-mail worm continue to emerge so the virus continues to shut down postal servers around the world.

MyDoom Virus and its variants…

The original MyDoom virus is known to have two causes. One cause led to the virus launching a denial of service attacks (DoS) starting on February 1, 2004. A second trigger caused the virus to stop spreading on February 12, 2004. The virus stopped spreading.

Several computer security experts say that there are minor differences between previous versions of MyDoom and their variants. Their main purpose is to get the code and increase the power of the caterpillar.

MyDoom.b contained a modified code that appeared to be incorrect according to a few experts. Encoding errors have led to this generation of MyDoom members being less threatening.

Computers pointing to MyDoom.c are already infected by MyDoom.a. And. Reports say that this discrepancy was not spread by e-mail but rather by the existing open port.

MyDoom.d also called Doomjuice. a distributes the updated code but in some ways, it was similar to MyDoom.a. This divergence first sent single requests for DoS attacks against Microsoft and then changed the attack strategy with multiple applications.

MyDoom.e, also known as Doomjuice.b, is capable of continuous attacks, with high DoS attacks on the Microsoft homepage in any month from February to December on any day other than the one between 8 and 12 p.m. MyDoom.e developed applications for accessing Microsoft homepages that look like Internet Explorer applications.

Why is MyDoom the Most Important Computer Virus?

Retrieved January 26, 2004, MyDoom.a distributed files with extended .bat, .cmd, .exe, .pif, .scr or .zip attachments. The caterpillar has improved the internal door of the system by opening 3127 to 3198 TCP ports.

MyDoom is not a problem opening port. Viruses like MiMail, Ballle, SoBig, and others all have this ability. However, the MyDoom family takes advantage of the situation by comparing it with other worms.

These open ports allow the caterpillar to secretly ‘listen’ to new commands sent by the caterpillar writer. The open port also creates a back door that allows the attacker to connect to an infected computer, thus controlling its network and independent resources.

In addition, the back door opened by MyDoom allows the attacker to download remotely and create conflicting files. The real threat here refers to the fact that this malware can be triggered at any time because the TCP 3127 port remains open. Eliminating infection with antivirus software is the only way to close the back door.

This is where viral protection plays an important role. Comodo provides Antivirus which features the most advanced security features that make it one of the best antivirus programs in the IT security industry. This software helps to successfully protect PCs (s) from backgrounds, viruses, Trojan horses, spyware, rootkits, adware, worms, and many other malware infections, including the most serious threats to zero-day.

MyDoom, the first type of worm, appeared on January 26.


6. Sasser and Netsky

Everything you need to know about Sasser worm

The worm, created by a 17-year-old man, has brought companies around the world to stand.

Sasser, discovered April 30, 2004, is a computer worm that infects computers using the compromised versions of Microsoft Windows XP and Windows 2000. The worm spreads by exploiting an operating system through a compromised network port. Therefore, it is especially dangerous that it can spread without user intervention, but it can also be easily stopped by a well-set fire extinguisher or by downloading a program update from Windows Update.
Sasser’s specific hole was marked by Microsoft in its MS04-011 notebook, where the patch had been removed seventeen days earlier.

How does this work?

The worm is called Sasser because it spreads by exploiting the environment in a building known as LSASS (Local Security Authority Subsystem Service) in infected operating systems. The worm scans different ranges of IP addresses and connects victims’ computers mainly via TCP port 445.

An analysis of the caterpillar by Microsoft has suggested that it may also be widespread at port 139. Various varieties of Sasser.B, Sasser.C, and Sasser.D appeared within days (named Sasser.A). LSASS vulnerability was replaced by Microsoft in April 2004 with the installation of its monthly security packages, prior to the release of the worm.

An indicator of computer caterpillar infection is the presence of file C: WIN.LOG or C: WIN2.LOG on its hard disk, as well as crashes that appear to be fixed with LSASS.EXE on the screen caused by improper coding applied to the worm. The most common sign of a worm is a shut-off time that has occurred due to a worm hitting LSASS.exe.


Examples of damage caused by Sasser include: The Agence France-Presse (AFP) news agency all its satellite communications sources were blocked for hours; Delta Air Lines had to cancel several shifting flights because its computer systems were driven by worms; Nordic Insurance Company If its Finnish owners Sampo Bank stopped completely and had to close 130 offices in Finland; The X-ray department at Lund University Hospital had all its X-ray equipment disabled for hours and had to direct emergency X-ray patients to a nearby hospital; The University of Missouri was forced to “pull out” its network from the Internet in response to the worm; The British Coast Guard had his electronic mapping service for a few hours; Goldman Sachs, Deutsche Post, and the European Commission all had problems with the worm.


German computer science student Sven Jaschan, 18, of Rotenburg, Sower Saxony, was arrested on May 7, 2004, for writing the worm. German authorities detained him for information obtained in response to a $ 250,000 offer from Microsoft.

One of Jaschan’s friends had told Microsoft that his friend had created a worm. He also pointed out that not only Sasser but also Netsky.AC, which is different from the Netsky caterpillar, which is his creation. Another variant of Sasser, Sasser.E, was found to be circulating soon after his arrest. It was the only variant trying to remove some worms from the infected computer, as Netsky did.

Jaschan was tried at a young age because German courts had ruled that he was 17 years old when he created the worm, which was actually released on his 18th birthday (April 29, 2004). Jaschan was found guilty of computer theft and illegal conversion details. On July 8, 2005, he was sentenced to 21 months in prison.

Dealing with Sasser

The shutdown sequence can be deleted by clicking on ‘start’ and then using Run command to enter ‘shutdown -a’. This marks the end of the program for the user to continue using the computer. The shutdown.exe file is not automatically available within Windows 2000 but can be installed on the Windows 2000 utility kit. Available on Windows.


7. CodeRed

What is Code Red Worm?

Code red is a computer virus that was discovered in July 2001, when computers running Microsoft’s Internet Information Services (IIS) web server were found to be inactive. The aftermath of the attack caused billions of dollars in injuries in the summer of 2001.

Marc Maiffret and Ryan Permeh’s Eye Digital Security staff found the worm while exploiting the existing dangers identified by Riley Hassell.

The computer worm nicknamed, “Code Red” is because they drank Code Red Mountain Dew when they confirmed it as a threat.

Shows text message “Welcome to I’m Infected by China!” and works in memory deleting all existing files on the hard drive. It infected about 359,000 executives on July 19, 2001.

Code of Conduct Red

Code Red codes are served on the GET /default. ida application path to TCP port 80. In this way, the code is developed to help detect high-level vulnerabilities in Microsoft’s Internet Information Server (IIS) information software. By doing so the code runs inside the IIS server. The worm virus is fully functional in memory and is not found on disk. It seats 3,569 bytes.

The caterpillar upload includes:

Rubbing infected website to display:
HELLO! Welcome to HT Joined by Chinese!

It tries to spread its infection by accessing multiple IIS servers online from Day 1 and Day 19

Then enter the system associated with specific IP addresses using the Shia of Service attack from day 20 to Day 27

Thereafter no active attack from Day 28 of the month

When scanning the compromised machines, the caterpillar did not test to see if the remote server was using the IIS risk version or to see if IIS was working at all. Apache access logs

CodeRed Variety
Code written.II

This is exactly the same as the original found to be different in two major ways. The CodeRed II signature enters the host via Trojan – Virtual Root to help cooks set up the backdoor to access and manage the server server. It replaces most’ss with X’s.


It exploits “Web Server Folder Traversal” Vulnerability to transmit the infection through new machines. This targeted variety of random IP addresses also sends FTP to receive applications from compromised applications. The FTP application updates the infected machine to download HTTPEXT.dll to the IIS folder which provides a way to execute specific commands on the server. This will ensure that the .dll file is created with the URL request and ensure that the DLL transfers the SVCHOST.exe file to the C: folder. Codeblue is made different from Codered as it is written on the hard drive and not in memory.


It is an anti-worm that finds its way into the target machine


More than 2 million computers have been infected with Code Red that organizations have to invest $ 2.75 billion to reproduce their product.

Preventive measures

Update Windows OS with the latest security patch. (Microsoft has released a security patch update to protect systems at risk of being attacked by Code Red.)

Launch the use of an effective Internet security suite that includes anti-virus antivirus software to scan, detect and remove anonymous threats, firewall eliminates suspicious data from a remote IIS webserver to stop the spread of malware and other types of attacks and, above all content technology – separating suspicious and isolated threats to provide full protection from threats such as Code red.

Code Red worm was discovered by two Eye Digital Security employees Marc Maiffret and Ryan Permet. They named it “Code Red” because they drank Code Red Mountain Dew. Code Red survived in 2001 and the work focused on computers with Microsoft IIS servers installed to exploit the problem of overcrowding in the system. As well as the computer.


8. In Nimda

In Nimda

First appearing on September 18, 2001, Nimda is a computer virus that has caused a decline in traffic as it flows through the Internet, spreads in four different ways, and enters computers containing Web’s Microsoft server, Internet Information Server (IIS) and computer users who open email attachments. Like previous viruses, Nimda’s paid subscription seems to be a drop in traffic itself – that is, it does not appear to be depleting files or causing further damage other than the huge amount of time that can be lost in traffic- or loss-of-service traffic. With a prolonged attack, Nimda appears to be the most severe virus of its kind still to be seen. Its name (after “admin”) obviously means “admin.dll” file which, when run, continues to spread the virus.

Briefly summarize what Nimda do:

It scans each IP address within randomly selected IP addresses, attempting to exploit vulnerabilities unless they are already attached, known to exist on computers with Microsoft Information Internet Server. The program with the displayed IIS Web server will read a web page containing customized JavaScript, creating the same JavaScript code to spread across all Web pages on that server.
As people (those with Microsoft Internet Explorer browsers level 5.01 or earlier) visit infected Web sites, they download pages via JavaScript automatically, causing the virus to be transmitted to other computers on the Internet in some way. random fashion.
Nimda can also infect users within an internal Web server network assigned a network share (file location).
Lastly, one of the things Nimda has to do is send an email attached to “Readme.exe” to the address of the Windows address book. The user who opens or previews this attachment (which is a Web page and JavaScript) further transmits the virus.
Summary of preventive action:

Server administrators should detect and use Microsoft’s compliant IIS patch that provided the previous viruses and ensured that no one on the server opened the email.
PC users should not open the “Readme.exe” attachment sent via email. They should also update their version of Internet Explorer to IE 5.5 SP2 or IE 6.0.
Summary of corrective action (if your server is infected):

Here we quote SurSecure’s Surgeon General Russian Cooper for TruSecure: “If you need to keep it and it works, remove it from infection centers, return it to tape or relevant and install a new one, and install it. with the product of your anti-virus software. If it passes, reconnect it to the Net and continue. ”
Ideally, Cooper believes the server should be down until someone completely cleans up in a few days from one of the anti-virus vendors like McAfee or Symantec. He recommends using more than one brush to be on the safe side.
Summary of corrective action (for end-users):

Scan and clean your system with anti-virus software.
Download Internet enhancement.
For details on how the virus behaves and for more information on corrective and preventive measures, contact any major anti-virus consumer sites.

Nimda first appeared on September 18, 2001, and quickly spread through the Internet. In fact, it only took 22 minutes since Nimda hit the Internet to reach the top of the list of reported attacks. The main goal of the Nimda virus was to bring about an internet connection. By creating a backdoor in the victim’s active system, it gives the attacker access to the same level of activity. Also, if the victim was a machine operator, the assailant would have full control. The Nimda caterpillar became an object of distribution (DDOS)



What is the ILOVEYOU Virus? How To Download ILOVEYOU Virus Download

ILOVEYOU virus is a computer virus (or) worm virus. It was broadcast via email with the subject line “I love you” in the year 2000.

ILOVEYOU is one of the most popular and worst computer viruses of all time.

ILOVEYOU virus history

In the third month of 1999, the Melissa virus was spread on the Internet as an email attachment. The virus, which spreads as soon as it was opened, crippled certain security features in Word 97 or Word 2000. In the case of users who had a Microsoft Outlook email program, they helped the virus to irritate the first 50 people each with user addresses. It caused a riot and damaged many computers around the world!

The ILOVEYOU virus was released into the wild from the Philippines soon after Melissa’s viral case was resolved. Tens of millions of Windows PCs crashed and even after May 5, 2000. Remarkably, while ‘Melissa’ was infected, the ILOVEYOU digital virus came in the form of a worm virus. The ILOVEYOU virus, sometimes related to Love Letter or Love Bug, was caused by an email message entitled “ILVEVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.txt.vbs”.

‘VBS’ has been misused by users as a standard text file, however, ‘VBS’ is actually a VBScript program used by hackers to create a worm. The victims secretly opened the attachment and worked in the Visual Basic script. The malicious program quickly started to overwrite random file types, and that included image, office, and audio files. But the virus would hide the file after rewriting the MP3 files and sending emails to all addresses in the Windows Address Book attaching the copy itself.

For a brief comparison, the previously described Melissa virus sent copies to the first 50 contacts in the address book but the ILOVEYOU virus sent emails to all email addresses in the Windows address book. As a result, the ILOVEYOU virus spreads faster than any other email worm.

How Can You Prevent And Stay Safe From The ILOVEYOU Virus Download Attack? 

To stay safe from viruses like ILOVEYOU and Melissa, there is a great need to install a powerful virus removal program. All other precautions put a second.

Symptoms of Infection

It is important to know these signs and symptoms to determine the risks-

Comp performance is slower than normal
Unnecessary pop-ups keep coming back
Few programs work alone
File duplication/repetition alone
New or unknown files or programs
Restricted access to files and folders
Hard drive audio in continuous action
All the signs listed are the first signs of a great catastrophe. It is important to wake up when you experience this. Never delay, quickly update your existing antivirus software or install new ones to support virus removal. If you are not sure what to do, seek the help of authorized personnel.

You can also start testing yourself by following the step-by-step procedures.

Get Into Safe Mode

Start by restarting your computer, and when it grows stronger press F8 and always go to the Advanced Boot Options menu. While in it, select Safe Mode with Network and press Enter.

This is useful for handling files that have no problems as they are not working or working. Apart from these actions, do not forget to remove the internet as it prevents infection from streaming.

Temporary files

It is very important to delete temporary files and use a virus scan. This method helps to free up disk space and internally accelerates virus scanning and the viral removal process. Simply, go to the start menu, select All Programs, click on Accessories, System Tools, and click Disk Cleanup.

Install Virus Removal Software to remove this virus.


10. Melissa

All about Melissa’s virus

Melissa is a viral virus that spreads rapidly as an email connector that, when opened, disables …

Melissa Virus was an email virus that was first released on March 26, 1999. The virus spread so fast that the e-mail systems infected by the virus spread and became the fastest-growing virus to date.

This virus will attack the machine via email message. The subject of the email message indicated that the message contained a file requested by the user. After the attachment is opened, the virus infects the machine and spreads other emails using macros to Microsoft Word 97 and Microsoft Word 2000 files. or 98. While the virus itself was not designed to be harmless, because it overloaded email servers and caused damage.

The author was identified as David L. Smith of New Jersey, who invented the virus after being attacked by a Miami painting. He was sentenced to 20 months in state prison and fined $ 5000. It is estimated that the virus reached thousands of computers per hour with damage estimated at more than $ 80 million.

Memory goes.
Disables voice antivirus protection for texts with macros.

For this reason, Word does not require user authentication to enable or disable macros embedded in documents, when opened.
Prevents users from working with macros, both in Word 97 and Word 2000.

In Word 97, disables the Macro option in the tools menu.
In Word 200, disables the Macro option in the tools menu.
Sends to the first 50 addresses found in the Outlook address book.
Includes Word 97 and Word 2000 documents as well as a global template.
Infection strategy
Melissa. A inserts the following entries into the Windows Registry:

HKEY_CURRENT_USER Software Microsoft Office “Melissa?” “… by Kwyjibo”

In this way, Melissa. A knows it has infected the computer. If it re-accesses the computer, Melissa. A will search for the above entries and once they have found them, they will know that the program has entered. Therefore, the virus prevents the hardening of computers.
Melissa. A is looking into the following entries in the Windows Registry:

HKEY_CURRENT_USER Software Microsoft Office 9.0 Voice Security Level

If the value assigned to the entry is not Null, Melissa. A disables the options that allow users to interact with Word macros (Tools – Macro in Word 97 and Tools – Macro – Security in Word 2000).
To treat infections, the virus incorporates Melissa’s module into the entire Word 97 and Word 97 document and the template. This macro module is written in the Visual Basic 5 programming language.

Methods of transmission
Melissa. A is distributed via email as follows:

Opens Outlook mail program when opening an infected volume.
It captures and operates an infected user profile, using calls to MAPI.
Creates an email message with the following features:

Important message from “sender name”

Here is the document you requested … do not show it to anyone 😉

Attachment: file with DOC extension.

Recipients of this message are the first 50 addresses, Melissa. A found in Outlook Address Book.
Additional details
Melissa. A was originally distributed by an online news team called

The virus code contains the following text:

‘WORD / Melisa is written by Kuyjibo
‘It works with Words of 2000 and Word 97
‘Wormwood? Macro Virus? Word 97 Virus? Word 2000 Virus? Decide!
‘Word -> Email | Word 97 <–> Word 2000 … new year!

Melissa’s virus is said to have been invented by David L. Smith after a Florida dancer in 1999. It was an infected text that when opened would forward to the top 50 email contacts. This text may indicate that you are associating with a different hole password


4 thoughts on “The in-depth knowledge of dangerous viruses that can destroy, anyone system | How to protect system | History, and origin of these viruses | Top 10 viruses of all time |Cryptolocker, ILOVEYOU worm, etc.”

Leave a Comment

Your email address will not be published. Required fields are marked *