Details
Macro.Word97.Breeder
This virus contains one macro with the AutoOpen name in documents and FileSave in NORMAL.DOT. The virus infects the system on an infected file opening (AutoOpen) and affects documents when they are saved (FileSave). It contains the comments:
BREEDER BY -=>NEMESIS<=- 5/4/97
“DO NOT PROVOKE THE INTROVERT”
Details
Macro.Word97.Break.a
This virus infects the Word97 documents as well as overwrites VBS script files Windows. The body of virus code has two blocks. The first block contains script-program that gets control in script instance of virus, the second parts contains Word macros.
The virus replicates under Word on documents closing. On 15th of any month the virus searches and overwrites all script .VBS files on the C: drive. When any of affected script files is executed, the virus copies its code to Word global macros area (NORMAL.DOT).
Details
Macro.Word97.Bptk
This is a rather humerous Word macro-virus. The virus macro Document_Open only infects the system macros area and current document upon opening. The virus manifests itself with the Russian text “ÁÏÒÊ”.
Details
Macro.Word97.Box
This stealth virus contains one module “SLOT” which contains seven macros: autoclose, autonew, autoopen, box1, SK, toolsmacro, killer.
The virus replicates itself on opening and closing documents. Depending on the current date and the random counter it displays MessageBoxes (non-English).
Details
Macro.Word97.Blaster
This is a dangerous macro-virus. Also known as Cont. It infects global a macro area upon opening an infected document. Other documents are infected upon closing. The infecting routine locates the virus’ procedures “Document_Close” and “Document_Open” separately, and stores them on the disk file C:\CONT.DBL. When a victim’s document is being infected, the infection routine adds the virus code from this file (C:\CONT.DBL) to a document, without destroying the document’s macros. The exception are macros with the same names as the virus procedures contain, making the virus even stealthier.
In one case out of two, the virus changes a document’s summary information to:
Title=”Macro Carrier”
Author=”Dream Blaster”
Keywords=”Minny”
The virus’ payload routine activates on the 17th of each month. It looks for the disk file “C:\MINNY.LOG” that also has a “hidden” and “read only” attributes set. If such a file does not exist, the virus appends to the AUTOEXEC.BAT file several commands that destroy all files and folders on drives C:, D:, E: and F: upon next computer rebooting.
Details
Macro.Word97.Bismark
This virus contains seven macros: AutoOpen, BisMark, ToolsMacro( ѽ ), ToolsCustomize, ViewVBcode, FileSave, and FileClose.
The virus infects upon the opening or saving of documents (AutoOpen, FileClose). Upon opening a file, the virus turns off the VirusProtection options.
Upon saving a document, the virus erases files belonging to well known anti-viruses:
c:\program files\norton antivirus\Virscan2.dat
c:\vdoc\*.*
c:\f-prot\*.*
c:\program files\antiviral toolkit pro\*.*
Upon entering the menu item Tools/Macro, the virus installs the password “Bismark” on the document, and outputs the Balloon:
Word Macro Virus BisMark1
You Should Have Left Me Alone, I Was Not Hurting Anything. Now I’am Mad!
After this, the virus shuts down Windows. On Friday at 12:00, the virus inserts the autocorrect entries “the” on value “Word Macro Virus BisMark1, Written By Talon”.
Details
Macro.Word97.Biok.a
This macro virus contains eight macros in module “BiosKiller”: AutoExec, Document_Open, FileSaveAs, FileTemplates, HelpAbout, PayBiosKiller, ToolsMacro, ViewVBCode. The global macros area (NORMAL.DOT) gets infection when an infected document is opened (Document_Open). The virus spreads itself to other documents on their saving with new name (FileSaveAs). The virus copies its code from file to file by using Import/Exports VisualBasic calls via the C:\BK.SYS and C:\APVBK.SYS disk files.
The virus disables the Word VirusProtection. On entering the FileTemplates menu the virus displays the MessageBox:
Virus BiosKiller
Vous feriez mieux de vous acheter un AVall
On entering the ToolsMacro menu the virus displays the MessageBox:
Virus BiosKiller
Je suis un virus comme CIH…
On starting MS Word at 16 minutes of any hours or at 26 seconds of any minute the virus displays the MessageBox:
Virus BiosKiller
Vous connaissez le virus CIH ?
Je fais la même chose que lui…
On starting MS Word on 26th of any month the virus displays the MessageBox:
Virus BiosKiller
Votre Bios va subir des changements…
HAHAHAHAHA
It then creates the C:\CMOS.BAS, writes a CMOS-erasing instructions to there and executes it with a help of DOS QBASIC utility. The virus then calls the ExitWindows function.
Details
Macro.Word97.Bench.b
While infecting the virus turns off the Word virus protection.
If minutes=month of year, the virus inserts into the document ten images of ellipses with random dimensions and colors and displays a balloon with the message:
[Bench] Macro Virus
I think is a big jerk!
Details
Macro.Word97.Beep
This is a silly Word macro virus. The only virus macro AutoOpen infects the system macros area and current document on opening. The virus manifests itself by beeping the system speaker.
Details
Macro.Word97.Beauty.a
This is a Chinese macro virus containing macros in several modules: autoclose, autonew, autoopen, FileTemplates, GAME, guess1, guess2, guess3, recall, ToolsMacro (stealth).
When an infected file is opened, the virus gets control and switches off the VirusProtection option and infects the global macros area. The virus also calls its infection routines on creating, opening and closing documents (AutoNew, AutoOpen, AutoClose).
Depending on the system date and system random counter the virus runs the GAME macro that displays DialogBoxes, MessageBoxes and exits Windows.
Details
Macro.Word97.Beast
This virus has two components: Word macro and Windows32 EXE file. The virus macro has very short size and is placed in the infected documents as ordinary macro program, it has “auto-name” AutoOpen. The EXE component is stored in documents as an embedded object. When an infected document is opened, the AutoOpen macro takes control, gets EXE component, saves it on disk and executed. The EXE component then gets access to Word application and infects other documents. The infection and other important routines are placed in the EXE file, not in AutoOpen macro, so the virus spreads using documents as “carrier”.
When the virus macro gets control (when an infected document is opened), it checks the system registry for its ID stamp. This ID contains the system time and is updated by virus each time its memory resident EXE copy gets control. If this ID was not updated for some period of time (i.e. there is no virus copy in the Windows memory), the virus drops its EXE component to the disk file I.EXE and executes it.
The I.EXE file is the main virus module. It registers itself in the system, stays in the Windows memory and runs the infection routine. To register its copy in the system the virus looks in the Windows system directory for .DLL file that has no .EXE companion, and copies its EXE file to there with this file name and .EXE extension. The virus then registers this EXE in the system registry to run this file on each Windows restart.
The virus then stays in the Windows memory as hidden application and hooks timer events - every second the virus application gets control. Each time the virus “memory resident” copy gets control, it looks for MS Word application and if it is active, the virus runs its infection routine. The virus performs followed actions:
1. counts characters in an active document. If there are no changes during 30 seconds, the virus runs infection procedure.
2. closes Visual Basic Editor window, if it is opened.
3. in period from 09:36pm till 07:12am the virus opens and closes CD-ROM’s door.
The infection procedure gets access to MS Word functions by using OLE automation. It checks every opened document in MS Word, and if it does not contain embedded OLE objects and it have at least one program module the virus infects this document. It embeds it own executable file into document and also creates the “AutoOpen” macro in document’s program module.
The virus contains the encrypted text “3BEPb” (”Beast” in several Slavonic languages). This text is used by virus as the header of its EXE application’s window.
Details
Macro.Word97.Bawl
This is a Word97 macro virus. It contains one macro AutoOpen and replicates on opening documents. The virus code was written for Word6/7 and then converted to Word97. As a result the virus has errors. The virus sets the Subject for documents while infecting them:
Green Bay Packers - - Super Bowl XXXI Champions
Details
Macro.Word97.Badmacro.a
This virus contains two macros AutoOpen and AutoClose, and replicates upon document opening or closing. Upon closing a document, starting from the 23rd of any month, the virus creates and executes the “C:\QSTART.COM” Trojan file clearing the CMOS memory. The virus has Russian origin: on the 1st and 13th of any month, it replaces, in the current document, the Russian words “here” with “there”. The virus also sets the description attributes for its macros:
AutoOpen: Absolutely bad macro (in Russian)
AutoClose: Reread Version 1.2!
Details
Macro.Word97.AutoDestructor
This virus contains seven macros in one module “AutoDestructor98″: AutoExec, AutoOpen, CpteAReb, FileSaveAs, FileTemplates, ToolsMacro, and ViewVBCode. The virus infects the global macros area upon the opening of an infected document and spreads to other documents upon saving them with a new name.
While infecting NORMAL.DOT, the virus displays the following Balloon:
Virus AutoDestructor98
HAHA !!!, votre ordinateur est infecté par un nouveau virusall
On the 15th of any month, the virus hides ScrollBar, and installs in the window caption the following text:
Les barres de scrollings ont disparu…
Upon starting Word on July 13, the virus formats the hard drive and displays the following Balloon:
Virus AutoDestructor98
Attention, le compte à rebours est lancé…
Plus que 10 secondes
Before formatting, the virus prints the following numbers to the status bar: 10, 9, 8, 7, … 1, 0 - one number per second. The same counting is displayed upon entering the Tools/Macro or File/Templates menus, and the virus then displays several messages and forces Word to terminate.
Details
Macro.Word97.ATU family
The viruses of this family use an uncommon way of spreading. Instead of copying their macro program to the macro area in victim documents, they just write to documents a reference to a template (attached template) which contains virus macros. MS Word97 when opening a such document detects the reference to the attached template, opens it and executes its macros. The virus macro gets control and runs infected procedure. As a result the infected documents have no macro code, but on their opening the virus macro code is loaded by Word97 and executed.
In the known versions of this virus the reference to attached template points to a file on a remote Internet site (virus-writers Web site). As a result, MS Word97 on opening an affected document downloads and processes the template that is placed in the Internet zone. Because of that virus author(s) are able to “upgrade” virus code by replacing the template on their Web site.
This way of spreading allows the virus to bypass the anti-virus protection (VirusWarning) in old versions of MS Word97. These Word97 versions have a security breach: the anti-virus protection is not activated by Word97 to scan attached templates for macro code. This bug in MS Word97 was fixed in the beginning of 1999.
“ATU.b”: this virus version does not copy entire code from the template to global macros area, but only the code necessary to infects documents.
The viruses contain the comments:
“ATU.a”:
Active Template Update
“ATU.b”:
Active Template Update v0.2 /1nternal