Details
Macro.Word.MG.a

This virus contains many auto-macros that have the same code inside. As a result, the virus replicates itself when many Word functions are called. On the 4th of any month, the virus erases the C:\COMMAND.COM file.

Details
Macro.Word.Metallica

This is a silly macro virus. The only virus macro ToolsSpelling infects the system macros area and current document on spell-checking the document. The virus contains comment string:
””’M E T A L L I C A””’

Details
Macro.Word.Messenger

This is not a dangerous encrypted German-specific macro virus. The infected documents contain three original virus macros: AutoOpen, virenlist1 and virenlist2, that are copied to 11 macros while infecting global macros area: DateiSpeichern, DateiAllesSpeichern, AutoExec, AutoExit, AutoNew, AutoOpen, AutoClose, DateiSpeichernUnter, virenlist2, virenlist1, AutoOpen1.
The virus contains the comments:
MNAS (58332)
SSAS, ich liebe Dich!
Dein MNAS
Super Macro Botschaft für Deutschland

Depending on the system date the virus displays the MessageBoxes:
S.Nr.: 0516047684070397-3
Ich bin das ‘Super Macro Botschaft für Deutschland’.
Ich habe KEINE Schadensfunktion, ich bin als Liebesbotschafter
und bin gegen RECHTS gedacht!BITTE last mich am leben.
Herzlichen Glückwunsch zum Geburstag SSaS!
Dein M.N.a.S.
P.S.: SSaS sei nicht sauer über die Botschaft!
P.P.S.: Ich liebe Dich!
Ich habe KEINE Schadensfunktion!!!
An Alle:
Ich bin nur als Liebesbotschafter gedacht! BITTE last mich am leben
Das Schwein wurde geboren
Das Schwein Adolf Hitler wurde am 20.04.1889
in Braunau (Österreich) geboren
Das Schwein hat Selbstmord begannen
A. Hitler, die feige Sau, hat am 30.04.1945 in Berlin Selbstmord begannen,
er wollte sich der Strafe des Volkes etziehn
Kriegsbeginn (01.09.1939)
Zum gedenken an den 2. Weltkrieg. Mussten soviele Opfer sein!?
Kriegsende (08.05.1945)
Hitlers Vernichtungszüge wahren endlich zuende! Ich bitte um eine
Schweigeminute, um an die Opfer des 2. Weltkrieges zu gedenken.
An alle Lehrer
Jetzt sind die Lehregefragt. Nimmt mehr über Hitler und die Nazis durch,
damit Schüler wissen, was das für Schweine sind.
An Alle:
Ich habe KEINE Schadensfunktion!!!
Ich bin nur gegen RECHTS gedacht! Bitte last mich am leben!

Details
Macro.Word.Messa

This is an encrypted macro virus. It contains 21 macros: CUS, EOP, ESA, NIZ, PLT, WEV, CROM, CUST, ESAA, INFO, MESSA, WATCH, BEEPER, README, AutoExec, AutoOpen, FileOpen, FileSave, FileSaveAs, TheVWarning, POO.
The virus infects the system on opening an infected document - it copies this document with new name THEVWARN.ING to Word Startup-Path and User-Dot-Path. As a result the virus will activate each time Word will start (Word reads and loads templates from Startup-Path and User-Dot-Path). The virus also infects the global macro area. The documents get infection on opening and closing.
Depending on the current time the virus hooks timer and sets on timer the BEEPER macro. It also runs the OOP macro (it is renamed POO) that on pressing Alt-Ctrl-Shift-K is runs the TheVWarning macro. TheVWarning macro in one minute runs the WATCH macro. The WATCH macro renames the macros:
OEX - AutoExec
OOP1 - AutoOpen
EOP - FileOpen
ESA - FileSave
ESAA - FileSaveAs
NIZ - Organizer
CROM - ToolsMacro
PLT - FileTemplates
CUS - ToolsCustomize
CUST - ToolsCustomizeToolbar
WEV - ViewToolbars

The BEEPER macro beeps and displays the MessageBox:
I am so sorry. I do not mine it to disturb You.
But maybe all there is something that You have to do!
THE ‘V’ WARNING

The MESSA macry displays the message:
THE ‘V’ WARNING MESSAGE
Sorry to interrupt You. I think You are tired,
because You have worked until midnight.
so I suggest You to go to bed now and
tomorrow You could work harder than this day.
Kota Pelajar, Yogyakarta.

Details
Macro.Word.Mercy

This is the encrypted Word macro virus. It contains six macros in documents: Autoexec, AutoOpen and four macros with random names. The infected NORMAL.DOT contains eight macros: AutoClose, ToolsMacro, FileTemplates, Organizer and four macros with random selected names.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are closed (AutoClose). The names of random named macros the virus saves in document’s variables (in case of infected document) or in the WIN.INI file in the [Intl] section in strings Here_1, Here_2, e.t.c (in case of NORMAL.DOT). The virus detects itself in the system by the string “I_am_Here” in the [Intl] section.
On 11th of any month the virus displays the MessageBox:
Episode 2: TenFaces [the series continueall]
The 10Faces is back! hey AVers the name is 10Faces!!
not Mercy.A -(c)reator of NoMercy-

The virus contains the commented text:
Hiya Pyro are you decrypt again !
I don’t borrow the code from “Outlaw” anymore
(it’s now original)
this random code is smaller than before and better randomize result
Using Simple-Little-Fast -random generator
Thankz to ya Pyro without your critics this never happen

This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to map domain names (DNS) to IP addresses. The modified file is 5 942 bytes in size. The file is modified in such a way as to prevent the user from viewing the sites listed below.
The following strings are added to the…

Details
Macro.Word.Mercado

This is an encrypted Word macro virus. It contains eight macros: AutoOpen, UtilMacro, FerramMacro, ArquivoAbrir, ArquivoSalvar, UtilPersonalizar, ArquivoSalvarComo, FerramPersonalizar.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document and writes itself to documents that are opened, saved or saved with new name.
On May 19th the virus writes to the C:\AUTOEXEC.BAT file the commands that format the hard drive, the virus then displays the MessageBoxes:
Alevirus Labs 1997 11/21/97 Virus Extra Hipermercado
Extra = Mais Caro = Caixas sem educa o = Vacas HEHE
Hipermercado Extra 100% Caixas HIV Positivo!!! S>C>S

This Trojan has a malicious payload. It is a Windows PE EXE file. The size of infected files may vary from 28KB to 255000KB. However, all variants of this Trojan have the same malicous payload. The majority of the Trojan file is garbage code in order to mask the Trojan functionality.

Details
Macro.Word.Mentes

This is an encrypted Word macro virus. It contains ten macros: Killer, AutoExec, AutoOpen, DocClose, FileOpen, FileSave, AutoClose, FileSaveAs, ListMacros, ToolsMacro.
The virus replicated on opening an infected document, saving and saves with new name. The replication routine presents only in one macro Killer, other macros call it to spread the virus. The infection subroutine in the virus is named “MENTES”.
The virus author leaves a possibility of self-destruction: if the MY.INI file exists in Windows directory, and it contains the section [Word Info] with the “Kod=aaa” string inside, the virus disables its infection routine and removes all its macros.
The virus is able to “steal” documents when they are saved. To do that the virus writes the C:\LOGIN.SYS file name of closed document, current date, time and contents of the document. It then connects the \\\HS_WORKH\COMMON\STUDENT\TEMP disk and moves to it the C:\LOGIN.SYS file to the first logical drive that is write-enabled. The name of new file is ARCHIVE.A??, where ‘??’ is number from “10″ till “50″. This file name is also saved to the PROG.INI file on the same disk.
On entering the List/Macros and Tools/Macro Word menus the virus displays the MessageBox and cancels execution of original macros viewing routines (stealth):
Macro function is not installed.

Details
Macro.Word.Mensagem

This is a silly macro virus. It contains only one macro AutoOpen and infects the system and document on documents opening. Before infecting the virus displays running message:
Scion Graphic - (Brazil-1997)

The virus contains comments:
Mensagem exibida pelo vírus
Salva o arquivo como modelo
Espalha o vírus copiando a macro AutoOpen para outros arquivos

Details
Macro.Word.Meldung

This virus contains three macros:
Documents NORMAL.DOT
A1 DateiSpeichernUnter
AutoOpen AO1
B1 AutoExec

The virus infects the global macros area on opening an infected document (AutoOpen) and infects documents on saving them with new names (DateiSpeichernUnter - FileSaveAs).
On the 17th of any month the virus displays the MessageBox:
Meldung!
Dark Tremor Virus Copyright 1998 by Dark Tremor

Details
Macro.Word.MDMA

Macro.Word.MDMA is an encrypted virus, it contains only one macro AutoClose and infects the system and files on closing a file.
On 1st of any month the virus corrupts the files depending on the installed system and then display the message box with the text:
MDMA_DMV
You are infected with MDMA_DMV.
Brought to you by MDMA (Many Delinquent Modern Anarchists).

Under Windows the virus deletes the C:\SHMK file and overwrites the C:\AUTOEXEC.BAT with the commands:
@echo off
deltree /y c:
@echo You have just been phucked over by a virus

As a result after rebooting all files in all subdirectories will be deleted.
Under Windows NT the virus deletes all files in the root directory as well as the C:\SHMK file.
Under Macintosh the virus deletes the files in system directory(?).
Under other systems (Windows 95) the virus deletes the C:\SHMK file and all *.HLP files in C:\WINDOWS\ directory. The virus then sets some private profile strings and deletes all *.CPL files in C:\WINDOWS\SYSTEM\ directory.

Details
Macro.Word.Master

This virus contains four macros - AutoOpen, FileSaveAs, ToolsMacro, ToolsOptions. The virus infects the system on opening an infected document (AutoOpen). It infects the documents that are opened (AutoOpen) or saved with new name (FileSaveAs).
On entering the Tools/Macro or Tools/Options menu the virus displays the MessageBox:
(c) 1997 Master of infection

This Trojan program makes it possible for a remote malicious user to use the victim machine as a proxy server. It is a Windows PE EXE file. It is 8,682 bytes in size. It is packed using FSG. The unpacked file is approximately 49KB in size. It is written in Visual C++.
Installation
When launched,…

Details
Macro.Word.Mark

This is an encrypted Chinese Word macro virus. It contains five macros: A, B, AutoExec, AutoOpen, ToolsMacro (stealth). The virus replicates itself when documents are opened (AutoOpen).
Depending on the random counter the virus creates a new document and writes to there a text in Chinese. It also creates the C:\X.TXT file and writes to there “0″ or “1″ also depending on the random counter. On next Word loading (AutoExec), if there is “1″ in that file, the virus appends to the C:\AUTOEXEC.BAT file the commands that formats the hard drive:
format c:/u/V:MARK>nul