Details
Macro.Word.Chill
This is an encrypted macro virus. It contains two macros: AutoOpen, ToolsMacro (stealth). It writes itself to the global macros area and documents on opening (AutoOpen). It contains the text:
Chill Word Macro Virus
Details
Macro.Word.CheckF
This virus contains only one macro named ChekFuk in documents and AutoClose in the NORMAL.DOT. The virus infects documents on closing (AutoClose). It infects the global macros area on entering the form field in an infected document - the virus creates a form field in documents and sets the ChekFuk macro as entry-macro for this form field. This method allows the virus do not create auto-macro in documents.
The virus sets the “ChekWarez” password to modify documents’ properties, including viewing macros in Tools/Macro menu. On 15th of any month the virus displays the MessageBox:
Do you use ChekMate/ChekWord?
Depending on user’s reply the virus then displays one of MessageBoxes:
ChekFuk Virus
Do NOT use ChekWord or ChekMate.
They suck!
ChekFuk Virus
Thank you for NOT using ChekWare.
Details
Macro.Word.Cheat
This is an extremely short and primitive macro virus. It contains only one macro AutoOpen and replicates itself on opening documents. It does not manifest itself in any way.
Details
Macro.Word.Chaos
This is the encrypted virus, it contains four macros:
in NORMAL.DOT in infected documents
FileOpen TempFileOpen
FileSave TempFileSave
AutoExec TempAutoExec
TempAutoOpen AutoOpen
On FileOpen or FileSave (file opening or saving) the virus writes its code to the file. On AutoOpen the virus installs itself into the system. In case of error displays the message:
Unexpected error! Error code -
On AutoExec the virus depending on system random counter either prints to status line the string “x/500″, where “x” is a random number, or prints “500/500″ and halts the computer.
The virus contains commented strings:
*********************************
* -x UlTiMaTe x- *
* CCCCC H H AAAAA OOOOO SSSSS *
* C H H A A O O S *
* C HHHHH AAAAA O O SSSSS *
* C H H A A O O S *
* CCCCC H H A A OOOOO SSSSS *
* -x v2.3 - 1st June, 1996 x- *
*********************************
Details
Macro.Word.Chandiga
This virus contains only one macro AutoOpen and infects the global macro area and documents on file opening. The virus contains the text string:
This Code was written in Chandigarh (India) on 01.05.1996
Details
Macro.Word.Chaka
This is double-language virus, it supports both English and German Word versions. It contains only one macro AutoOpen in infected documents, but creates three macros ChAkA, FileOpen, DocClose in NORMAL.DOT while infecting the global macros area.
The ChAkA macro is the copy of AutoOpen, it contains the infection routine. Other macros (FileOpen, DocClose) call this infection routine. As a result the virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to documents that are opened (FileOpen) or when document’s window is closed (DocClose).
The virus contains the text string:
ChAkA! Nightmare Joker [SLAM]
Details
Macro.Word.Ceefour
This is an encrypted Word macro virus. It contains six macros: AutoOpen, FileSave, FileOpen, FileTemplates, ToolsMacro, CFFSA.
It infects the global macros area on opening or saving an infected document (AutoOpen, FileSave). It writes itself to the documents that are saved with new name (FileSaveAs).
The virus disables the ToolsMacro and FileTemplates menus (stealth). While opening a document the virus checks its name and disables its stealth routine, if the name of document contains the sub-string “TONY”.
On April 1st the virus erases the files on the C: drive. The virus contains the comments:
C-4 By Karl
“You are about to have a very bad day.”
“It looks like C4 in the mothers arm.”
“We are both professional, This is personal.”
“And when Alexander saw the bredth of his domain he wept for there
were no more worlds to conquer (benefits of a classical education)”
quotes from the masters!
Details
Macro.Word.Cebu
This is an encrypted macro virus. It contains four macros: AutoExec, AutoOpen, AutoClose, MsRun. It infects the global macro area on AutoOpen and writes itself to documents on AutoOpen and AutoClose. Depending on the system time it replaces the word “Asian” with “Cebu” in current document.
Details
Macro.Word.Cc
This German specific Word virus contains five macros: wss, AutoExec, AutoOpen, DateiSpeichern, DateiSpeichernUnter. It replicates on the document opening or closing (AutoOpen, DateiSpeichern). Starting from 4th of any month on saving a document with new name the virus sets for it the “cc” password.
Details
Macro.Word.Catch
This encrypted macro virus contains six macros: AutoOpen, encrypt1, FileSave, AutoClose, infectdoc, infectnorm. It infects the global macros area on opening an infected document (AutoOpen) and copies itself to other documents on their opening.
The virus replaces (mixes) in document the characters: “i” <-> “o”, “a” <-> “e”. This mixing is not visible in documents under infected system conditions: when documents are opened, the virus replaces these letters back to original state. When documents are saved, the virus replaces the letters again. After each replacing the virus displays the dot to the StatusBar.
On document closing depending on the system random counter the virus displays the message:
Its a Catch 22 Situation!
Details
Macro.Word.Cap
CAP - infection routine AutoExec - calls the infection routine AutoOpen - - // - FileOpen - - // - FileSave - - // - AutoClose - - // - FileClose - - // - FileSaveAs - - // - ToolsMacro - hides all macros (”stealth” routine) FileTemplates - - // -
The virus not only disables ToolsMacro and FileTemplates menus, but also deletes the references to them in the File and Tools main menus. The virus also disables auto-macros. As a result it is not possible to disinfect this virus by using Word functions -it is not possible to delete macro viruses by creating new or running existing virus removing macros.
The virus emulates “FileSaveAs” while saving infected documents -and writes an empty document to disk.
The virus contains the following strings (comments):
C.A.P: Un virus social.. y ahora digital..
“j4cKy Qw3rTy” (jqw3rty@hotmail.com).
Venezuela, Maracay, Dic 1996.
P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !
Details
Macro.Word.Candyman.a
The macro viruses of this family contain three macros:
“Candyman.a”: Autoopen, Candyman, AutoClose
“Candyman.b”: Autoopen, Dyatrima, AutoClose
They infects the global macros area on opening an infected document (AutoOpen), and infect other documents on their closing (AutoClose).
On 25th of any month the “Candyman.a” virus deletes all files in folders C:\WINDOWS and C:\DOS. Then it displays the message:
No se olviden de CABEZAS -Pierri y Duahlde
PUTOS-Cabezas Virus by CANDYMAN Bs. As. Argentina
The “Candyman.b” virus drops and executes the DYA.COM file infected by the DOS overwriting virus “HLLO.Candym”.
Details
Macro.Word.Caffeine
This virus contains only one macro AutoOpen and replicates on opening documents. While infecting the virus depending on the random counters displays the UserDialog containing the string “Give me caffeine!” and waits for “caffeine” or “coffee” input.
Details
Macro.Word.Bukit
It is an encrypted macro virus. It contains seven macros: AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ShellOpen, FileOpen. The virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to documents that are saved (FileSave, FileSaveAs).
On the 25th of any month it displays the MessageBox:
Selamat
Sekarang adalah tanggal 25, sudahkah anda mengambil gaji?
He..he..Selamat. Kalau bisa, lebih keras lagi kerjanya.
Bravo Bukit Asam !!!
Depending on the system date on FileSaveAs the virus displays the MessageBox:
Non Critical Error
Internal error was occured in module UNIDRV.DLL
Your application may not be work normally.
Please contact Microsoft Product Support.
On entering Tools/Macro menu (macros ToolsMacro) it displays the MessageBox:
Critical Error
Internal error was occured in module UNIDRV.DLL
Please contact Microsoft Product Support.