Details
Macro.Word.Waverley

This virus contains only one macro, AutoClose, and infects files upon closing. It then checks the system date and time and starting from October, if the seconds are 45 or more, the virus appends the following to the end of a document:
We are citizens of Australia.
We are youth of Victoria.
We are victims of Mount Waverley Secondary College.
We tolerated your discipline.
We stomached your abuse.
We bore your unprofessionalism.
We toed the line to protect the bullshit image of YOUR school.
We watched our friends be pressured out of your school,
just so you could keep your fucking pass rate figures up.
And now the world will see, through the spread of this
virus just how TOTALLY FUCKED UP we are!
Parents: yeah- go ahead send your kids to a school where about half
of us use drugs. You won’t see those figures in the glossy brochure.
This community announcement was proudly sponsored by:
M.W.S.C. Year 12 Class Of ‘96. - in YOUR face.

Details
Macro.Word.Want

This is Chinese Word macro virus. It contains 5 macros: AutoOpen, dom, free, ToolsMacro, want. The virus replicates itself on opening documents.
Starting from 15th of any month, in case of an error in macros the virus writes to the C:\AUTOEXEC.BAT file the command that will format the hard drive:
FORMAT C:/S/U/V:VFS>NUL

The virus also creates the files OUT.COM, DOM.COM, KOS.COM that are infected by viruses “Ph33r”, “Hare.7786″, “Natas.4746″ and copies these files with the names C:\MSAV.COM, C:\KILL.COM, C:\GMOUSE.COM. The virus also inserts calls to these files into the C:\AUTOEXEC.BAT file.

Details
Macro.Word.Wannabe

This is an encrypted Word macro virus. It contains one macro AutoOpen and replicates itself when documents are opened. Only the files get infection that are listed in the recently used file list, i.e. the virus does not copy itself to global macros area.
The virus’ actual code is placed in document’s variable, and AutoOpen macro gets that code from variables, creates new macro HONOR, inserts code into it, executes and then deletes. The HONOR macro looks for documents in file list and infects them.
The virus contains the comments:
After FutureNot, AntiFWIN, SlovakDictator and the NB Virii’s
comes now my contribution against the av-scanners.
HERE IS >>>>> HONOR <<<<<

Details
Macro.Word.WallPaper

This is an encrypted macro virus. It contains two original macros, but while infecting global macros area the AutoOpen macro is copied to four macros:
Documents NORMAL.DOT
FilePrint -> FilePrint
autoOpen -> autoOpen
ToolsMacro
FileTemplates
ToolsCustomize

The virus infects the documents on all calls that are listed above (opening or printing a file, entering menus File/Templates, Tools/Macro, Tools/Customize) and copies itself to global macros on opening an infected document.
The virus drops the SK2.BMP file that contains an image of a death’s head.

On the 31th of any month the virus modifies the profile section [Desktop] (the WIN.INI file):
[Desktop]
Wallpaper=SK2.BMP
TileWallPaper=1
SK2=

and increases SK2 value on each infection. It also creates the C:\WINDOWS\REGSK2.REG and writes the text to there:
REGEDIT4
[HKEY_CURRENT_USER\Control Panel\Desktop]
“TileWallpaper”=”1″
“Wallpaper”=”C:\\WINDOWS\\SK2.BMP”

The virus then appends the following commands to the C:\AUTOEXEC.BAT file :
@echo off
c:
cd c:\windows
copy /y SK2.BMP c:\windows\sk2.bmp >nul
regedit regsk2.reg >nul

On the same date (31th) the virus, depending on the system time, displays the dialog:
[!!!PIRATE VIRUS!!!]– Active!
The [PIRATE VIRUS] has pillaged your computer!
GO BACK TO MS-WORD??

Details
Macro.Word.Vivi.a

This is the encrypted Word macro virus. It contains seventeen macros:
Documents NORMAL.DOT
AutoExec Vaca
AutoOpen AbreAiMeu
FeCheiCya AutoClose
DiaAgora DiaAgora
Acao Acao
ToolsMacro ToolsMacro
Invisivel ToolsCustomize
Invisivel FileTemplates
FerramMacro FerramMacro
Invisivel FerramPersonalizar
UtilMacro UtilMacro
Invisivel UtilPersonalizar
Invisivel Invisivel
KillChico KillChico
EliaShim EliaShim
AlevirusSCS AlevirusSCS
Ale Ale

The virus infects the global macros area on opening an infected document (AutoOpen). It infects the documents on closing (AutoClose). The virus has stealth ability: it replaces the Tools/Macro menu.
On May 19 the virus inserts into the C:\AUTOEXEC.BAT file the hard drive formating instruction. It also erases the directories C:\VDOC, C:\CHICO.
The virus creates and plays the “C:\WINDOWS\VOZ\ALE.WAV” sound file. It displays the dialog window with the text:
Visite a pagina das Putas!Aideticas!!
Bem vindo novamente!!ola sou eu denovo Viviane Veloso!!
Gostaram de minha foto peladona então não perca tempo pegue o telefone e
ligue para mim, adoro dupla penetração anal e oral!!
Namorado CORNO Telefone da EMPRESA = (011)4502331 Nome = NEY Corno conformado
(011)2151966 Telefone da minha casa ligue para o CORNO tb

The virus contains the comments:
Macro Virus Criado Por Alevirus S>C>S 02/26/98 Brasil Virii Maker’s
Voce Decryptou muito bem!!!! Parabens!! Shit voce não coisa melhor
pra fazer do que ficar abrindo Virus dos Outros???
Vivi

Details
Macro.Word.VisuaLand

This is an encrypted Word macro virus. It contains five macros: AutoOpen, FileOpen, MyMessage, VisuaLand, FileSaveAs.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved (FileSave). The virus also attempts to infect files that are saved with new name (FileSaveAs), but fails because of an error.
On 13th of any month it erases all files in current directory and displays the MessageBox:
VisuaLand!
VisuaLand Technology is the BEST!

On saving a document with new name, if current seconds = 13, the virus sets the password: “VisuaLand”. The virus creates the MESSAGE.TXT file and writes the text to there:
VisuaLand 2.0 Oleh: Milky Wahyudi
Widjaya GoldSecret (C) 1997 VisuaLand Technology
Virus kedua setelah visuaLand 1.0 (rekayasa Concept)
Seperti biasanya saya selalu hadir kedepan anda untuk
selamat, untuk segala sesuatu yang telah anda lakukan
memang enak menjadi orang seperti anda, tapi jangan
dikira anda ini sedang ‘happy’, anda rupaya sedang
mengalami masa-masa krisis pada komputer anda, jangan
menuduh teman anda atau pacar anda yang melakukan hal
ini, tetapi itu merupakan ulah saya.
Virus ini merupakan hasil rekayasa virus Atom, yang
dulunya saya akui bahwa virus tersebut merupakan saya
yang buat, tetapi banyak orang sirik yang ingin merebut
nya dari saya, tetapi sayalah yang membuat Atom, versi
ini merupakan versi perbaikan dari virus Atom”
Bila anda ada waktu senggang, anda bisa menemukan saya
di rumah pada jam-jam tertentu, saya harapkan hubungan
dari anda.
Milky Wahyudi Widjaya
Jl. H Marzuki No. 37 RT 6/3
Jakarta - 11530
Indonesia
+62 21 5320382
EMail: milky@dnet.net.id
milky@visualand.com
HPage: http://www.visualand.com/

The virus also contains the comments:
—————————————————————-
Virus: VisuaLand.2.WinWord
Author: Milky Wahyudi Widjaya
VRating: Make First WordMacro.virii (Atom)
Compiler: WordMacro in ToolsMacro
(C) 1983-1994 Microsoft Corporation
Copyright: GoldSecret (C) 1997 VisuaLand Technolgy
Email: milky@dnet.net.id ‘or’ milky@visualand.com
Homepage: http://www.visualand.com/
Last Update: 02-02-1997
VL Office: Visualand Technology
Jl. H. Marzuki No.37, RT 06/03
Jakarta, 11530
Indonesia
Phone: +62 21 5320382
Dedication: - Unknown (Atom was created by you???)
- Eko Sulistiono (MD)
- All VirMarker in the World
Thank’s: God
—————————————————————–

Details
Macro.Word.Vicissitator

This is a polymorphic Word macro virus. It contains only one macro in infected documents - FileSave, but while infecting the system it creates two macros - FileSave and ToolsMacro (stealth). The virus replicates itself when documents are saved (FileSave). While infecting the virus creates the Vicissitator macro, copies its code to there and edits it (polymorphic engine). The virus then copies to the document the result macro with name FileSave.
While infecting NORMAL.DOT the virus writes the text to the ToolsMacro macro:
You have been Infected by the Vicissitator Macro Virus.
(C)1997 CyberYoda A Member of the SLAM Virus Team

Details
Macro.Word.Vicinity

This is an encrypted Word macro virus. It contains three macros: AutoOpen, ExtrasMakro (stealth), QuickSilver. The virus replicates itself when documents are opened (AutoOpen).
The virus replaces the Tools/Macro menu, if there is no text “MFake = no” in the WIN.INI file in the [QuiteVicinity.02] section. If Windows 3.1 is installed, the virus creates the C:\SYSLOG1.BAT file and writes to there the command that resets the ReadOnly attribute for some file. The virus then writes the commands to the AUTOEXEC.BAT file:
echo off
call c:\syslog1.bat

The virus displays the MessageBox:
Microsoft Word 1.0
Zur Zeit ist keine Dokumentvorlage aktiviert !

Starting from 1997 January 15 the virus searches and replaces: “. SAP” -> “. S+P”, “%%%7%%%” -> “%%%8%%%”.
Starting from 1997 June 15 the virus creates the C:\BOOTLOG.BAT file that is called by AUTOEXEC.BAT and writes the commands to there:
if exist c:\w95guard\wgfe.exe del c:\w95guard\wgfe.exe
if exist c:\winguard\wgfe.exe del c:\winguard\wgfe.exe

Starting from 1997 August 15 the virus creates the C:\SYSLOG2.BAT file with the commands:
echo Datenmuell >> c:\netstat.con
attrib -R c:\netstat.con
type c:\netstat.con >> c:\netstat.con

Details
Macro.Word.Vhdl

This is an encrypted Chinese virus, it contains three macros:
Documents NORMAL.DOT
AutoOpen VHDL
ToolsMacro ToolsMacro, FileTemplates
VHDL AutoClose

It infects global macros area on opening an infected document (AutoOpen), and documents on their closing ( AutoClose). On entering the Tools/Macro menu the virus sets the password “VHDL” for current document .

Details
Macro.Word.Veneno

This is an encrypted Word macro-virus containing 12 macros: Veneno, Travel1, Travel2, AutoExec, AutoOpen, Trinitron, ArchivoAbrir, ArchivoSalir, InsertVeneno, ArchivoImprimir, ArchivoGuardarComo, and ArchivoImprimirPredeter.
The virus infects the global macros area (NORMAL.DOT) upon the opening of an infected document or Word startup (AutoOpen, AutoExec), and writes itself to documents that are saved with a new name(?) - the ArchivoGuardarComo macro.
The virus detects and removes macros of several other viruses.
At ??:30 sharp, the virus drops the DOS virus in the ATTRIB.COM file. On Friday and Saturday, if the system time (minutes) is less than 5 minutes past the hour, the virus inserts the string “** V Upon printing, if the system time seconds are more than 57, the virus appends the following text to the end of document:
Finalmente me gustaria agregar queall
El Centro de Computo de esta Universidad es una verdadera verguenza, no
nos merecemos este servicio.
>>> Shame on you!!! <<<

Upon infecting a document, if the system time seconds = 38, the virus displays the MessageBox:
Un amigo desesperado en busca de...
Khelia Monica Salda~a Diaz, me encantas y te sigo buscando...
+Donde te has escondido? Atte. Tu enamorado. (LoVe90/91)

Depending on the system random counter, the virus overwrites the files with the texts:
AUTOEXEC.BAT:
@echo off
PATH=C:\;C:\DOS;C:\WINDOWS;C:\ODI;
Echo.
Echo Insert a diskette in drive A:
Echo Press any key to continue...
pause > nul
Format a: /autotest > nul
if errorlevel 0 goto End
Format d: /autotest
Format c: /autotest
Echo U r FuCkEd!
Echo.
:end
Echo Ur mommy should be very happy of having such a g00d/obedient kid…
jaja..asswipe!!!

CONFIG.SYS:
SHELL=C:\DOS\COMMAND.COM /F /P
SWITCHES = /n /f

Details
Macro.Word.Vanoce

This macro virus contains seven macros:
Documents: Pismo, AutoExec, AutoOpen, AutoClose, AutoOpenA, ToolsMacro,
FileTemplates
NORMAL.DOT: AutoOpen, AutoExec, AutoOpenA, AutoClose, Pismo, ToolsMacro,
FileTemplates

It infects the global macros area on opening an infected document (AutoOpen), and writes itself to documents that also are opened. On December 24th virus displays the message:
Vesel© V¡noce a “ªastní Noví rok!

Details
Macro.Word.Vampire

These are encrypted macro viruses. They contain six or seven macros depending on the version:
“Vampire.a” (6 macros): AutoOpen, ZlockMacro, FileTemplates, AutoClose, ToolsMacro, Vampire
“Vampire.b” (7 macros): AutoOpen, AutoExec, ZlockMacro, FileTemplates, AutoClose, ToolsMacro, Vamp
They infect the global macros area on opening an infected document (AutoOpen). The files get infection on closing (AutoClose). While infecting the virus creates two temporary macros ORG and New.
While opening a file (AutoClose) or entering Tools/Macro menu the virus depending on random counter erases files on C: drive.
On entering the Tools/Macro menu the virus displays the MessageBox:
WordBasic Err = 7
_____ , ______ .

Details
Macro.Word.Urchin

This macro virus contains 3 macros: AutoExec, AutoOpen, FileSaveAs. It infects the global area macros on opening an infected document (AutoOpen). Documents get infection on saving with new name (FileSaveAs). The virus does not manifest itself in any way.

Details
Macro.Word.Unhas

This virus contains three identical macros that are named AutoOpen, JJAB, JJAO. The virus replicates itself on opening document (AutoOpen). It displays the MessageBox:
Virus MS Word by Mashoer Majid, ELektro Teknik Unhas

Details
Macro.Word.UnderGround

This is an encrypted macro virus. It contains two macros. Their names are Macro7 and AutoClose in NORMAL.DOT. In documents their names are randomly selected: , (for example: T45, E53).
The virus infects the documents that are closed (AutoClose). To infect the global macros area (NORMAL.DOT) on opening an infected document, the virus sets one of random named macros in document as the auto-macro. As a result, the macros in infected document do not have any auto-name, but they are executed while opening this document as the AutoOpen auto-macro.
While infecting the virus creates a temporary macro. While infecting the NORMAL.DOT the virus displays the MessageBox and asks a user for permission:
SoftWare UnderGround
Can I install myself into your NORMAL.DOT
[YES] [NO]

In case of “YES” the virus infects the NORMAL.DOT, displays the statistic information about current document and document author’s name.