Details
MadMan.1663

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 9, 21h and writes itself to the end of EXE files that are closed (i.e. the virus infects files that are copied or checked by some utility). The virus does not infect F-PROT, SCAN and files, if they have ‘V’ letter in name.
The virus adds the “@ECHO I’m watching you!” command to the end of .BAT-files. On Alt-Ctrl-Del the virus displays the picture and the message:
..xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxXx
.. xXXXXXXXXXX XXxXxXX XXXXXXXXXXx X
. xxxxXXXXXxxXxxXXXXXxxxx x
x . x xxXXXXXxx x . xxXXX
..xXxxxXxxXx. XXXXXXXXXxxxXxxxXxxxxX
.xXxxxxXXx. XXXXXXXXXXXXxxxxXXXXXX
Nothing can save you here, friend - you’re in my world now!

The virus also contains the text strings:
MadMan

Details
Made Family

These are harmless not memory resident encrypted parasitic viruses. They search for a COM-files of a current directory and infect them by a standard manner. They contain the internal text strings:
Made in England
*.COM

Details
MadCobra.1118

MadCobra.1118 is a not dangerous memory resident parasitic encrypted virus. It hooks INT 8, 9, 21h and writes itself at the end of COM- and EXE-files that are executed. Depending on the system timer it launches a jumping asterisk. It checks the keyboard and on pressing of the DEL key, depending on the system timer, it displays the message:
***[ Just wanna say Wa'Sup to: ]**********************************************
The Carmel Massive
The Jamaican Posse and
Mad Cobra. Keep the FLEX alive!
By-The-Way John call this one “Greetings”.

This virus also contains the internal string:
Admiral Bailey [YAM]

Details
MAD.1288

These are very dangerous memory resident parasitic viruses, with the major versions–2631, 3544, 3732, and Morose.5131–being polymorphic.
MAD.1288
This virus hooks INT 21h, and writes itself to the end of EXE files that are executed or opened. Under debugger, it erases the hard-drive MBR. Upon execution of each 33th file, it overwrites a randomly selected disk sector with the following text:
THE MYTH [C]Black Angel : Next time ,Use a condom all

MAD.2631,2748
These viruses hook INT 9, 1Ch, and 21h, and write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the following files:
*EB.* *ST.* *EW.*

The viruses have several bugs, and often halt a computer. On the 13th of any month, or if the text strings (see below) are corrupted, the viruses erase the CMOS and the hard drive sectors. Upon each 1000th keystroke, the viruses erase a randomly selected disk sector. If there are no keys pressed during 1 and half of minutes, the viruses display the following message:
+———————————————+
| W a r n i n g ! |
+———————————————+
| Your machine is infected by MAD I virus |
| -= Written & Copyright by Black Angel =- |
| from Moscow |
| For cure call DR.WEB (812) 296-3096 |
| Good-Bye!!! |
+———————————————+

The viruses also contain the text strings:
“MAD.2631″: BETATHE MAD I virus (c)Black Angel
“MAD.2748″: THE MAD version 1.2 virus (c)Black Angel

MAD.3544,4340
These viruses hook INT 13h and 21h, and encrypt the major part of their TSR code and decrypt/encrypt it “on-the-fly” as needed. To do this, the virus copies two parts of its INT 21h handler to Interrupt Vectors Table and DOS data at the addresses 0000:0200 and 0060:0000, then sets the INT 21h address to 0060:0000. When that code gains control, it decrypts the main virus TSR part by using the decryption routine placed at 0000:0200, and jumps to the virus code.
By hooking INT 21h, the virus writes itself to the end of COM end EXE files that are created (intercepts CreateFile DOS call, stores a file’s handle, and then infects the file on CloseFile DOS call). On the 13th of any month, the virus infects COM files by “MiniMad.279″ parasitic virus (see below).
Upon execution of any file, the virus, depending on its counter, puts the string “MAD” on the keyboard buffer. Upon execution of a WIN*.* file, the virus disables the mouse driver and displays:
WINDOWS MUST DIE!

By hooking INT 13h, the virus intercepts writing to the hard drive MBR and encrypts the data buffer (i.e., newly created MBR). While reading the encrypted MBR, the virus decrypts it in the data buffer.
The virus uses anti-debugging tricks. Under debugger, the virus erases the hard drive sectors. The virus also contains the strings:
“MAD.3544″:
MAD 1.5a Copyright by Black Angel 03-08-96 : a New Beginning

“MAD.4340″:
BUILD40
MAD 1.7 (C)opyright by Black Angel(from Moscow!) 29-09-96 : Next version…

MiniMad.279
This virus is dropped by “MAD.3544″. When an infected file takes control, the virus searches for COM files and writes itself to the end of the file. The virus infects only the files that begin with JMP NEAR (E9h xxxxh) instruction, and modifies the following offset (xxxxh) with an offset of the virus code. Before closing a file, the virus stores the original offset (xxxxh) to the file date stamp, and erases it in the virus code.
As a result, there is no original file data in the virus code. To return control to the host program, the virus obtains the file date stamp, and uses it as the original offset.
It contains the text string:
The MiniMad version 1.0 beta*.com

MAD.3732
This virus hooks INT 21h, and writes itself to the end of COM files that are executed or opened. Under a debugger, it formats the disk sectors. It contains the following texts:
The MAD version 1.4(beta) for TME (C)Black Angel 1996
TME 0.0 (c)Black Angel 14/05/96

MAD.4268,5054
These viruses hook INT 8, 13h, and 21h, and infect COM and EXE files that are created and then closed; i.e., they infect only newly created executables so as to avoid detection by CRC integrity checkers. As well as several minor versions do, these viruses encrypt their TSR code and place an “on-the-fly” encryption/decryption routine to the Interrupt Vectors Table.
If the host file name contains the symbols EB, NF, VP, VT, ST or EW, the “MAD.5054″ virus corrupts this name in the Environment area. As a result, the virus avoids the anti-virus self-checking procedure - the programs cannot locate their files on disk, and check them for viruses.
When an infected file runs, the virus also checks the command line. If the command line contains the “/!” (”MAD.5054″) or “/?” (”MAD.4268″) parameter, the virus stuffs “MAD” into the keyboard buffer.
By hooking INT 13h, the virus encrypts and decrypts “on-the-fly” boot sectors of floppy disks that are accessed - these disks then may be accessed only under an infected system. By hooking INT 8, the virus calculates and checks CRC sums for the INT 21h handler’s code. If CRC is wrong, the virus halts the system.
In some cases, “MAD.4268″ displays the following message:
Your version of MAD outdate.Upgrade?

The virus then waits for a keystroke. When there is a ‘Y’ keystroke, the virus displays the following message, and erases the hard-drive MBR:
Please Wait! Cured Your system…

The virus then displays the following message in Russian, and overwrites the C:\AUTOEXEC.BAT file with the commands:
@echo Press Y for continue cured….
@echo off
c:\dos\format.com c: >null
echo on

On November 7th, the “MAD.5054″ virus erases the CMOS, the hard drive sectors and displays the following message:
Seventh November - black day of a calendar…

This virus also corrupts RAR archives - while saving to the disk, the virus replaces RAR’s ID label “Rar!” with “Mad!” at the header of the archives. While reading corrupted archives, the virus places the original “Rar!” label there. As a result, these archives may be accessed under an infected system only.
The viruses also contain the strings:
“MAD.4268″
MAD 1.6 Copyright by Black Angel 24-09-96 :
…continue conversation…
Mutation Engine for Mad [MEM 1.0]

“MAD.5054″:
Small Random Decoder for Mad [SRDM 0.0 beta]
EBNFVPVTSTEW
[MAD 1.8] (C)opy(R)ight by Black Angel from DesTroY Gr0uP : It BEGAN…!
Mutation Engine for Mad [MEM 1.1]

Mad.Morose
While installing a memory resident, this virus copies a part (231 bytes) of its INT 21h handler to DOS data area at the address 0054:0000, hooks INT 21h (sets INT 21h address to 0054:0000), writes its own complete code to the hard drive (unused sectors on track 0) and returns to the host program. As a result, the in-memory virus occupies only 231 bytes, and is invisible on the memory map. As needed (while infecting files), the virus reads its whole code from these hard drive sectors to the system memory.
The virus hooks only one DOS function - Get DOS Version (AH=30h). On such calls, the virus obtains the name of the active program, and infects it - the virus writes itself to the middle of COM files and to the end of EXE files. It does not infect the following files: *EB, *ST, *86, *NF, *VP, and *AN.
While infecting COM files, the virus corrupts them - it replaces INT 21h calls with INT CCh calls files. To allow these files operate, the virus sets INT CCh to INT 21h while installing. As a result, the corrupted files work under an infected system only, and halt the system under a clean system (after disinfection).
In January, this virus infects COM files in another way - it generates the executable code of a silly non-memory resident COM infector, and writes it to the end of the file. Upon each infection, the virus generates different COM viruses of varying lengths. To do this, the virus uses its polymorphic engine. As a result, this virus drops varying COM viruses while infecting each file. These COM viruses do not mutate their codes.
Under debugger, this virus erases the hard-drive MBR. On December 31st, it erases the CMOS and displays the following message:
I am DEAD M0R0SE

The virus also contains the texts:
>>> The MaDesTr0yeR <<<
aka [DEAD M0R0SE]
version BETA TEST
Distribution & Copyright by Black Angel 1996
>Destroy Gr0up is down…!!!<
>HàÆô ê Hàü-ïÄ DESTROY GR0UP!<
EBST86NFVPAN
MiniMad 2.0 BETA! [c]Black Angelay

Details
Macro01.2170

It is not a dangerous memory resident parasitic virus. It hooks INT 13h, 28h and on INT 28h calls searches for COM- and EXE-files, and then writes itself to the end of the file. Depending on its internal counters the virus decrypts and displays the messages:
CRIS-HARDWARE
Ai un virus foarte rau
Pentru anti-virus scrieti la
FAC. de CALCULATOARE din TIMISOARA
Daca in 20 de secunde nu opresti
PC-ul am sa-ti fac praf
HARD-DISKUL

The virus also contains the ID-string:
Macro01

Details
Macro.Word97.ZMK.J

Analysis by and (c) Paolo Monti
This macro-virus was written in VBA (Visual Basic for Applications) for MS Word 8.0 (Office 97). It contains very dangerous payloads, and it displays message and dialogue boxes concerning the World Cup Soccer Championship France 98. The VBA project of the virus contains one form named Pronostic and a module implementing 8 different macros:
AutoExec: calls the macro Pronostique or WC98Payload (see below).
AutoOpen: infects the global template and displays a messagebox.
FileSaveAs: infects new documents, saving them as templates, and displays a messagebox.
FileTemplates: displays a messagebox.
Pronostique: displays a dialogue box where the user is forced to make a choice, and implements a number of different payloads.
ToolsMacro: displays a messagebox,
ViewVBCode: shows the MS Word Assistant displaying a message,
WC98Payload: modifies the contents of an active document.
The following instructions can be found at the beginning of all macros:
Disable the possibility to interrupt macro execution
Enable the execution of automatic macros
Disable the antivirus protection built in Ms Word
Disable the confirmation for the global template saving, usually asked before exiting from the program.
The automatic macro AutoExec, executed at the startup of MS Word or when a general template is loaded, gets the current system date and time. If the day number is 12 or the seconds of the system clock are at 12, the AutoExec macro calls the macro Pronostique or the macro WC98Payload. The choice between the two macros is applied randomly. Each has a 50% probability to be called from AutoExec macro.
The macro Pronostique displays a dialogue box on the screen (the form Pronostic) by which the user is asked to choose among 9 different teams partecipating in the France 98 Championship. If the user chooses the same team selected randomly by the virus, a messagebox of congratulations is displayed on the screen, then the virus goes into an endless loop showing a message in the status bar. Otherwise, the virus applies a randomly selected payload. With a probability of 40%, the virus appends the following lines to the file C:\AUTOEXEC.BAT:
cls
Echo La coupe du monde 98 c’est gÊnial!!!!
Echo y|Format c: /u /v:WorldCup98
Echo o|Format c: /u /v:WorldCup98

27% of the time, the virus tries to delete all files in the directories C:\DOS and C:\WINDOWS\COMMAND and the files C:\MSDOS.SYS and C:\IO.SYS.
In the remaining cases, the virus modifies the text of the active document and prints it.
The macro WC98Payload creates in the active document a WordArt object, applies to it a number of rotation effects, and then erases it.
Inside the project of the virus there are some messages in French:
“VIVE LA COUPE DU MONDE 98!!!!”
“Vive le football!!!, Vive la Coupe du Monde 98!!!”

AVP detects/disinfects this virus since weekly update 980706

Details
Macro.Word97.Zmk

This virus contains five macros in one module “ZMK98FAV”: AutoOpen, FileSaveAs, FileTemplates, ToolsMacro, ViewVBCode.
It infects the global macros area on opening an infected document and infects documents on saving with a new name. The virus then searches and infects documents in the current directory.
The virus displays the MessageBoxes:
ZMK98FAV
Je suis un nouveau AntiVirus pour Word 97
ZMK98FAV
Vous feriez mieux d’acheter un VRAI ANTIVIRUSall
HAHA !!!!!

Details
Macro.Word97.Zeitung.d

This macro virus infects Microsoft Word documents. It has comments at the beginning of macro:
‘èó îäíÐììÄàîû ë åòèàè àåû”äêéîîüâðññçà îàî èâìäíéðçöèãçò Àñè ã”
‘60
‘awedft
The virus has no payload routine.

Details
Macro.Word97.Xute

The virus contains one macro “AutoClose” in module “Xute”. It replicates on closing documents by exporting/importing its code through the C:\XUTE.DAT file. On July 26th, or if the sum of the day and month numbers is equal to 30, the virus executes the file deleting command “DELTREE /Y \*.*”.
All text constants (export file name, DELTREE command etc.) are stored in the virus code in encrypted form. In case of need, the virus decrypts and uses them.

Details
Macro.Word97.Wnw

This macro virus contains seven macros and functions in single module “WNW”: AutoExec, AutoOpen, FileSaveAs, WNWP, FileTemplates, ToolsMacro, ViewVBCode. The virus infects the global macros area on opening an infected document. Other documents get infected on opening or saving with a new name.
On Saturdays and Sundays, the virus displays the warning messages:
On est Samedi, aujourd’hui
Je ne travaillerai pasall
On est Dimanche, aujourd’hui
Je ne travaillerai pas…

Depending on the number of such messages, the virus performs several destructive operations (see below). The counter of these messages is stored in the WINWORD8.INI file in the [WNW] section in the Total item.
On the 10th message, the virus displays the MessageBox:
Virus WNW
Vous jouez avec le feu…

and deletes the files: C:\WINDOWS\BUREAU\*.LNK and C:\WINDOWS\MENU DãMARRER\*.*
On the 20th message, the virus displays the MessageBox:
Virus WNW
Je vous avais prÊvenu…

and deletes the files:
C:\Windows\*.ini
C:\Autoexec.bat
C:\Config.sys
C:\Msdos.sys
C:\Io.sys

On the 30th message, the virus displays the MessageBox:
Virus WNW
Vous l’aurez voulu!!!!

and formats the C: drive.
On these days, the virus, depending on the system random counter, also either displays the MessageBox:
Virus WNW
Au revoir…

or draws the text in the header line of Word window:
Je ne veux pas travailler ce weekend, donc, je vais vous en empËcher…

Details
Macro.Word97.Waterfall

This macro-virus contains two macros, “AutoOpen” and “autonomailer,” in one module “waterfall,” and replicates upon document opening.
The virus changes the Internet Explorer Startup URL with the new address: “http://www.kevinmitnick.com”. The virus also looks for “Internet Mail” active, creates a new message to one of the addresses from the existing list, attaches an active (infected) document, and sends this message. The message Subject field contains the word “Hey,” and the message body contains the strings:
Hey
Youve just got to read this!
Peace

Upon infection, the virus checks the current date and time, and in December, if the current time is 12 minutes past the hour, the virus appends to the AUTOEXEC.BAT file commands displaying the following message:
I have committed the sin of hacking and am unfit in the eyes of the Lord.
I confess to acts of witchcraft and art, dissidence and voodoo.
But in my Craft for which you condemn me,
I SURF THE BRAINWAVES OF GOD.

This Trojan downloads other programs via the Internet and launches them on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The file is 10,240 bytes in size.

Details
Macro.Word97.Vovi

This is arather simple macro-virus, containing one macros:
NewMacros
and the following string label:
VoviusFirstMacroVirus

Details
Macro.Word97.Voce

This contains two macros: AutoClose, AutoExit. The virus infects the system and documents upon closing files. Upon exiting Word, it displays the MessageBox:
Voc foi v tima de MAP0997!

Details
Macro.Word97.Vampire

This virus contains 13 macros in one module: AutoOpen, autoexec, AutoClose, FileTemplates, KZ, pire, ToolsMacro (stealth), Vampire2, VM, VM1, VM2, VM3, VMP.
It replicates itself on opening and closing documents (AutoOpen, AutoClose). When an infected Word97 is starting, the virus, depending on the random counter, scans the C: and D: drives and beeps when each file is found. The virus then displays a dialogue box in Chinese. Depending on the system time, the virus inserts a text in Chinese in the current document.
On entering the Tools/Macro menu, the virus displays the MessageBox:
Microsoft Visual Basic
Out of Memory