Details
Macro.Word97.Attention
These viruses contains only one macro AutoOpen and replicate themselves on opening documents. They contain the comments:
——————————
!!!!Attention!!!!Attention!!!!
——————————
This is *NOT* a Wazzu Varient!
This Virus is called AntiFWIN!
FWIN’s Heuristics do not Work!
——————————
Details
Macro.Word97.Argh
The virus code contains fifteen macros in one module “NewMacroses”. The virus spreads on creating, opening, closing documents as well as on exiting Microsoft Word. On infecting the system the virus copies original NORMAL.DOT to user template directory with the WINDOT.DLL name, and infected NORMAL.DOT with the WININF.DLL name.
On selecting the ToolsMacro menu the virus checks the number of opened documents. If no documents are opened, the virus displays the message:
Microsoft is protecting your normal.dot from virus infection You can
only add macros to other documents
Otherwise the virus removes itself from normal template and on leaving the ToolsMacro dialog window reinfects it.
While infecting the virus with probability 2% displays the assistants balloon:
Help me
I’m not feeling very vell .. AAARGHH!!!
Details
Macro.Word97.Apmrs
This is a polymorphic macro virus. It infects Word97 documents. It contains only one macro: AdvancedPolymorphicMacroReplicationSystem.
Details
Macro.Word97.Aos
This macro-virus contains 15 macros in one module AngleOfSin. It replicates on calls: AutoOpen, AutoClose, FileSaveAs, FileSave, AutoNew, FilePrint, ToolsMacro, FileTemplates, EditFind, ToolsWordCount, viewVBcode, SendMail.
While infecting files, the virus inserts, into the Username, the string “Angle Of Sin”, and, into the UserAddress, the string “6667 Angle Rd, Heaven S.I.N”.
On December 25, it erases all files in the root directory. On February 9, it deletes all documents in the current directory as well as the following files:
C:\COMMAND.COM
C:\AUTOEXEC.BAT
C:\CONFIG.SYS
C:\WINDOWS\*.*
Details
Macro.Word97.AntiWazzu
This macro virus contains two macros: autoopen and tempcdg. It spreads on documents opening. While infecting it also deletes “autoClose” macro, in this way it struggles against “Wazzu” virus family. Starting from April 1st 1999 the virus activates self-destruction routine. This routine deletes “autoopen” macro that contain the main virus code.
Details
Macro.Word97.Antisocial
Dangerous “Melissa” -like macro virus. It infects documents and global macros area (Normal template) on document closing. This virus also spreads via email in the same way as “Melissa” does: On first infected document opening on a computer the virus attempts to send itself to the first sixty entries from the Outlook address book. The virus’ message has infected document in attachment and:
Subject line: Important Message From
Text: Look what I foundall
After first attempt to send itself via email the virus sets registry key value:
HKEY_CURRENT_USER\Software\Microsoft\Office\Sixtieth Skeptic = “Where’s Jamie?”
Next time the virus checks this key to prevent duplicate sending.
In additional the virus drops its code into file “C:\SS.BAS” and creates Visual Basic Script in file “C:\SS.VBS” that reinfects the Normal template on each system reboot.
Details
Macro.Word97.Antisec
This macro virus infects MS Word documents and normal.dot template files. The virus itself is a macro named ‘AntiTheSecond’ and it seems that the author intended it to act as an antivirus against the macro virus TheSecond.
When an infected file or template is opened, the virus creates an export file named Anti.tmp in the MS Word start directory. The macro code is saved in this file. The virus then checks all MS Word documents which are currently open for the macro module of TheSecond virus. If this module is detected, the virus will cause a MessageBox to be displayed. The MessageBox contains the following text in Russian:
ïÂÎÁÒÕÖÅÎ ×ÉÒÕÓ The Second × ÄÏËÕÍÅÎÔÅ <ÉÍÑ ÆÁÊÌÁ> !
Translation: The Second has been detected in the document ‘name of file’!
It then deletes the contents of the virus module, without deleting the module TheSecond (which is a type of vaccine for files). If this is successfully completed, a MessageBox in Russian will be displayed on the screen:
äÏËÕÍÅÎÔ <ÉÍÑ ÆÁÊÌÁ> ×ÙÌÅÞÅÎ!
Translation: The document
If the document does not contain the virus TheSecond, Antisec will infect it by writing its code to the document from the file Anti.tmp. A MessageBox in Russian will then be displayed on the screen:
áÎÔÉ×ÉÒÕÓ ÄÏÂÁ×ÌÅÎ × ÄÏËÕÍÅÎÔ <ÉÍÑ ÆÁÊÌÁ> !!!
Translation: An antivirus has been added to the document
Details
Macro.Word97.Antimarc
This virus infects Word97 documents and spreads via global electronic channels: chat-net mIRC and MS Outlook Express. This is the first known macro virus that uses mIRC and Outlook to spread infection. The virus contains the comments:
W97M/antiMARC by Lord Natas [Codebreakers 98]
with special thanks to Rhape79
“We’re just the toys in the hands of another”
The virus code contains 15 macros in one module “Antimarc”: antiMARC, mIRCDropper, OE, Delay, AutoClose, AutoExec, AutoOpen, FileClose, FileExit, FileSave, FileSaveAs, ToolsMacro, FileTemplates, ViewVBCode, FormatStyle.
The antiMARC macro is the main virus macro. Other ones are either do-nothing ones (AutoExec), or call this macro to infect Word97 documents. The mIRCDropper macro sends the infected documents to chat-network, the OE macro sends the infected message by using Outlook Express.
The virus replicates in Word environment on activating of any auto-macro except AutoExec, i.e. the virus infects the global macro area and documents on documents opening, closing, saving, saving with new name, on entering the Tools/Macro, File/Templates and other menus. To copy its code the virus uses export/import functions via the SYSTEM\MICROSOF.386 file that is created in the Windows directory.
Depending on the system random counter the virus also executes its Chat and Outlook spreading routines. While sending its copy to the Chat the virus uses the MIRC32.EXE utility. It disables mIRC warning messages in the system mIRC C:\MIRC\MIRC.INI file, creates the infected file C:\WINDOWS\XXXPASSWORDS.DOC and the script C:\MIRC\SCRIPT.INI.
The virus script file contains the instructions that send the infected XXXPASSWORDS.DOC file to all users that join the Chat. If there is a message with “marcsux” substring, the virus sends to the host of this message the text: “#gotinfected777 X”. The virus also sends the message to the Chat:
marc FuCk YoU FaScIsT
warblade STILL SUCKING MARC’s COCK?? eh, sure you do!!
super Hey M0therfux0r, shove X/W up yer fat pimple-covered ass!
super ‘We do not support the distribution of virii’ - i guess you do now, bitch!
#gotinfected777 Kick Me! - I’m InFeCtEd!
While sending itself by using MS Outlook Express the virus creates random named infected file on the C: drive, selects 20th address in Address Book, creates a new message, fills it with random letters, attaches the infected file and appends the footer line:
J97Z/nagvZNEP ol Ybeq Angnf [Pbqroernxref 98]
This procedure is not language independent and does work only under German version of Outlook Express.
Details
Macro.Word97.Anthrax
This virus contains seven macros in one module “Anthrax”: FileNew, AutoNew, AutoOpen, Anthrax, FileSaveAs, FileTemplates, ToolsMacro, ViewVBCode.
It infects documents on saving with new name (FileSaveAs). It infects NORMAL.DOT on opening an infected document, the virus then displays the MessageBox:
Virus Anthrax
Modèle Normal infecté!!!!
On entering menu “Tools/Macro” the virus displays the Balloon:
Virus Anthrax
Attention, ce menu n’est pas autoriséall
On entering menu “Tools/FileTemplates and Add-Ins…” the virus displays the MessageBox:
Virus Anthrax
Le virus ANTHRAX ne peut pas vous autoriser l’accès!!!
HAHAHAHAHA!!!!
On creating new document it displays the MessageBox:
Virus Anthrax
Anthrax est en train de contaminer votre ordinateur!!!!
Depending on system random counter the virus either erases the files: C:\AUTOEXEC.BAT, C:\CONFIG.SYS, C:\WINDOWS\SYSTEM\*.DLL, or creates and runs disk formatting program, or displays to the StatusBar the running string:
HAHAHAHAHA!!!!, Je m’appelle Anthrax et je vais détruire ton ordinat!!!
Details
Macro.Word97.Allen
This virus contains six macros in documents and nine in the NORMAL.DOT:
Documents NORMAL.DOT
AutoExec AutoExec
AutoOpen AutoOpen
FileOpen FileOpen
FileSave FileSave
FileSaveAs FileSaveAs
Tools FileMacro, FileTemplates, ToolsCustomize, ToolsMacro
The virus infects documents upon opening and saving, saving them with a new name. Upon opening an infected document, it also turns off the VirusProtection options.
In November, it displays the following message:
My heart to you
SELAMAT ULANG TAHUN..ALLEN
Upon entering the Tools/Macro menu, the virus displays the following message:
Attention:
No Macro virus In Templates
Details
Macro.Word97.Aljadezz
This is the polymorphic macro virus. It contains twelve macros in the module “aljadezz”: FileSaveAs, Mutate, EditFind, AutoOpen, FileSave, FilePrint, Inserta, ToolsMacro, ViewVBCode, ToolsCustomize, FileTemplates, Retro.
The virus replicates on executing one of the macros: FileSaveAs, EditFind, AutoOpen, FileSave, FilePrint. It uses polymorphic routine inserting random comments into the virus code.
The macro EditFind erases the system files:
C:\WINDOWS\WIN.COM
C:\CONFIG.SYS
C:\AUTOEXEC.BAT
C:\COMMAND.COM
On printing (FilePrint) the virus adds a page with the text:
-=INFECTADO CON EL ALJADEZZ VIRUS=-
The virus then deletes the files:
C:\WINDOWS\*.*
C:\*.*
The virus also erases the anti-virus programs:
C:\Archivos de Programa\AntiViral Toolkit Pro\Avp32.exe
C:\progra~1\Antivi~1\Avp32.exe
C:\Archivos de Programa\AntiViral Toolkit Pro\*.avc
C:\progra~1\antivi~1\*.avc
C:\f-macro\f-macro.exe
C:\f-prot~1\f-macro.exe
C:\Archivos de Programa\Command Software\F-PROT95\Sign.def
C:\progra~1\comman~1\f-prot95\sign.def
C:\Archivos de Programa\Command Software\F-PROT95\Dvp.vxd
C:\progra~1\comman~1\f-prot95\dvp.vxd
C:\Archivos de Programa\McAfee\VirusScan95\Scan.dat
C:\progra~1\mcafee\viruss~1\scan.dat
C:\Archivos de Programa\McAfee\VirusScan95\Mcscan32.dll
C:\progra~1\mcafee\viruss~1\mcscan32.dll
C:\Archivos de Programa\McAfee\VirusScan\Scan.dat
C:\Archivos de Programa\McAfee\VirusScan\Mcscan32.dll
C:\Archivos de Programa\Norton AntiVirus\Viruscan.dat
C:\progra~1\norton~1\viruscan.dat
C:\Archivos de Programa\Symantec\Symevnt.386
C:\progra~1\symantec\symevnt.386
C:\PC-Cillin 95\Scan32.dll
c:\pc-cil~1\*.dll
C:\PC-Cillin 95\Lpt$vpn.*
C:\PC-Cillin 97\Scan32.dll
C:\PC-Cillin 97\Lpt$vpn.*
C:\Tsc\PC-Cillin 97\Scan32.dll
c:\tsc\pc-cil~1\*.dll
C:\Tsc\PC-Cillin 97\Lpt$vpn.*
C:\TBAVW95\Tbscan.sig
c:\Tbavw95\Tb*.*
C:\Tbavw95\Tbavw95.vxd
C:\Archivos de Programa\Norton Antivirus\*.*
Details
Macro.Word97.Aleja
The virus contains six macros: AutoClose, AutoOpen, ArchivoGuardar, ArchivoGuardarComo, ArchivoImprimir, ArchivoImprimirPredeter.
The virus spreads on opening, saving documents or saving them with new name. To hide its code the virus disables the ToolsMacro menu. It also turns off the VirusProtection option.
Before document printing, the virus replaces primary header with the text:
Documento infectado con el virus ALEJA5
Details
Macro.Word97.Alarm
This virus contains only one macro AutoOpen. It infects the files that are opened. It also hooks the timer and each 5 minutes infects the global macros area and current document, if they are not infected. The virus does not manifest itself in any way.
Details
Macro.Word97.Alamat
This is a dangerous macro-virus. It uses an ordinary way to spread - it infects the global macros area upon opening an infected document, other documents get infected upon their opening or closing.
The virus has many payload routines. Each of them is activated only one day per month:
1 - the virus inserts in document the text:
Alamat brought to you by Lucky Warrior
2 - disables “Table” menu command
3 - disables “Help” menu command
4 - deletes all files in root folder of drive C:
5, 25, 27 - deletes all files in folders:
C:\progra~1\Drsolo~1\Anti-V~1\*.*
C:\Program Files\Norton~1\*.*
C:\progra~1\mcafee\viruss~1\*.*
C:\progra~1\pc-cil~1\*.*
6 - deletes all files in “C:\Windows\” folder
7 - saves documents with password “Alamat”
8 - prints document with added note “Your’re infected with the Alamat virus!”
9 - changes Windows registerd onwer name to “Lucky Warrior”
10, 30 - deletes all files in “C:\Windows\” and “C:\Winnt\” folders
11 - deletes one character at cursor position.
12 - opens “www.playboy.com” site
13 - displays Office Assistant with message:
Warning!
Ms Word is suffering from unknown virus!
14 - modifies the system registry to display a message before system log-on:
Lucky Warrior
Welcome to the world of Alamat!
15 - replaces all “of” words by “Alamat” and then deletes commands “Replace” from menu
16 - hides Office Assistant and mouse cursor
17 - changes Word window caption to “Alamat”
18 - disables “File” menu item
19 - exits Word just after document open
20 - deletes all files in “C:\Progra~1\System” folder
21 - disables “Edit” menu command
22 - disables “View” menu command
23 - disables “Insert” menu command
24 - disables “Format” menu command
26 - exits Windows
28 - changes Word user information:
UserName = “Lucky Warrior”
UserInitials = “LW”
UserAddress = “Bgy. Tiguib, O.E.S.”
29 - disables “Window” menu command
Details
Macro.Word97.Akuma
It is a dangerous macro virus. It infects global macro area on opening an infected document. Other documents get infection also on their opening. The infection routine finds virus procedures separately and stores them into the disk file “C:\CONT.DBL”. When victim document is infecting the routine adds the code from this file to document without destroying document’s macros, except “Document_Close” and “Document_Open” macros. It makes the virus more stealthy.
In one case of two the virus changes document’s summary information:
Title = “Akuma Macro Carrier”
Author = “Akuma”
Keywords = “Mary Bitch”
The virus sets recent edited files list size to maximum - nine files (every opened file MS Word adds in this list). On document closing the virus checks the system date and if the day is 16, 17 or 18 executes payload routine. This routine looking for file “C:\MARY.LOG” that must have “hidden” and “read only” attributes set and if it doesn’t found overwrites all files from recent files list. The virus replaces content of this files on text:
Something wonderful has happened, your PC is alive and even better but some
of your documents are infected by the Akuma virus.
Mary is simply a bitch and you,
lose some files.
Have a nice day.
After that the files are almost unrecoverable.