Details
Macro.Word.Angus

It is an encrypted Word macro virus, it contains nine macros:
Document NORMAL.DOT
FileClose FC
AutoOpen NOpen
FileSave
7 other FileSaveAs
with random FilePrint
names FilePrintDefault
FileTemplates
ToolsMacro
FileExit
PCGURU4

It infects global macros area on opening or closing an infected document (AutoOpen, FileClose). It infects documents on saving and saving with new name (FileSave, FileSaveAs). While infecting documents the virus stores renames its macros (see above) with random names and saves references to them to document’s variables.
On October 23rd on printing documents the virus appends to the end of documents the message:
NAENBGOURSG
Hello from GREECE

On October 24th the virus creates and spawns the PCGURU4.BAT file that contains the instructions:
@echo off
Rem PcGuru4 virus by NAENBGOURSG
Rem Golden Version 4.3
type PcGuru4.bat >> PcGuru4.bat

Details
Macro.Word.Andry

This encrypted virus contains only one macro AutoOpen and infects the global macro area on opening an infected document and writes itself to other documents when they are being opened.
On March 1st it sets to documents the password “Andry Christian”, prints the text to status bar:
* I’M ANDRY CHRISTIAN, IF YOU THOUGHT, YOUR DOCUMENTS
OR TEMPLATES WERE SAFE, YOU WERE WRONG ! *

It then displays the dialog:
HACKERS Labs ’96 – Hackware Technology Research
ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!!
DO YOU SUPPORT MY VIRUS ?
YES NO

In case of “NO” key the virus overwrites the C:\AUTOEXEC.BAT file with commands:
@ECHO OFF
CLS
ECHO Please wait . . .
FORMAT C: /U /C /S /AUTOTEST > NUL

and the C:\CONFIG.SYS file with commands:
DOS=HIGH,UMB
FILES=40
BUFFERS=40
DEVICE=C:\DOS\HIMEM.SYS
DEVICE=C:\DOS\EMM386.EXE RAM

On the same date (March 1st) depending on the system time the virus runs the disk formatting command:
COMMAND /C FORMAT C: /U /C /S /AUTOTEST > NUL

Depending on the system time the virus inserts into current document the text:
Helloall.
Andry Christian
WordMacro Virus
Is Here….!!!

The virus also contains the comments:
‘======================================================================’
‘ Source Code of Andry Christian WordMacro Virus 0.99 – ßeta Release ‘
‘======================================================================’
‘ Virographer by Andry [Christian] in [Batavia] City, of INDONESIA ‘
‘ Viroright (C) 1996-1999 Hackware Technology Research – HACKERS Labs. ‘
‘ Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc ‘
‘ Last Update by 01-Maret-1996 & 01:03 PM – Found Bugs…? Call Me ‘
‘======================================================================’
‘ HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR’s TEAM ‘
‘======================================================================’

Details
Macro.Word.Anak

This is an encrypted macro virus. It contains four original macros that are copied to five ones while infecting documents and NORMAL.DOT:
Documents NORMAL.DOT
Macro1 anakAE AutoExec
Macro2 AutoOpen anakAO
anakAO
Macro3 anakSA FileSave
anakSA
Macro4 anakSMU anakSMU

The virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to document on saving them (FileSave).
The virus defines new short cut key “Shift-Ctrl-F” and associates it with Tools/Customize menu. To hide its macros (stealth feature) the virus removes the File/Templates, Tools/Macros and Tools/Customize menus.
Starting from 25th of any month, starting from 14:00 the virus creates new template, inserts the text into there:
alli n t r o d u c i n g…
anakSMU
Semarang, March 1997

The virus then registers itself in the system. To do that it creates the ANAKSMU.BAT file, writes the commands to there and executes it:
@ECHO OFF
REM ———————————————————
REM anakSMU wont destroy your REGEDIT, Just wanna be there
REM email: anakSMU@TheOffice.net”
REM ———————————————————
ECHO REGEDIT4 > anakSMU.REG
ECHO [HKEY_CURRENT_USER\Software\anakSMU] >> anakSMU.REG
ECHO [HKEY_CURRENT_USER\Software\anakSMU\anakSMU@TheOffice.net] >> anakSMU.REG
ECHO [HKEY_CURRENT_USER\Software\anakSMU\18.090 - Semarang] >> anakSMU.REG
START /MIN REGEDIT anakSMU.REG
EXIT

The virus then displays the MessageBox:
anakSMU
Yeah!, I wish I were anakSMU

Details
Macro.Word.Alliance

This virus contains only one macro in infected documents – AutoOpen, but while infecting the system it copies it to two macros – AutoOpen and AutoNew. As a result, the virus infects the system on opening an infected document, and infects the documents that are opened or created.
The virus sets Subject in the FileSummaryInfo to:
You Have Been Infected by the Alliance

Details
Macro.Word.Allian

This is encrypted macro virus. It contains two macros that have identical code inside: AutoOpen, AutoNew. The virus infects the global macros area and documents on opening an existing document or creating a new document. After infecting the virus displays the message:
UNIVERSITI TEKNOLOGI MALAYSIA
ARE YOU A FSKSM STUDENT?
ANSWER YES OR YOUR DOCUMENT WILL BE LOCKED BY MY PASSWORD !
FAKULTI SAINS KOMPUTER DAN SISTEM MAKLUMAT

If a user answers “Yes” the virus sets the password “Saya!” for the current document.

Details
Macro.Word.Alien

These are encrypted Word macro viruses. They contain three macros in NORMAL.DOT and infected files:
“Alien.a”: AutoClose, AutoOpen, FileSaveAs
“Alien.b”: AutoClose, AutoOpen, FileSaveas

These viruses infect the system global data area on opening an infected document and infect the files that are opened or closed. Before infecting the viruses perform several actions to check the file/system and avoid incorrect infection – they search for virus macros in files/system, check them for ExecuteOnly attribute and so on. Depending on these conditions the viruses set several flags, and depending on these flags they infect the file/system.
The viruses check the file name, and if it contains “ALIEN” substring, the viruses do not infect files and system.
The viruses also remove menu items “Tools/Customizeall” and “Tools/Macro…”. Other trigger routines are activated starting from:
“Alien.a” – Oct 1 1996
“Alien.b” – Jan 10 1997

Depending on the system random counter they display several messages and perform several actions. On August 1, with probability 1/2 they display the MessageBox:
Alien
Another Year of Survival …

Then they try to hide Program Manager’s window and terminate MS Word.
On Sundays, with probability 1/2 they display the MessageBox:
Alien
It’s Sunday & I intend to relax !

and also try to hide Program Manager and terminate MS Word.
They also display the MessageBoxes with “Alien” title and the strings inside of box:
Never Open Others Files !
Never Trust An Alien !
Don’t Believe All Tips !
Always Back Up Your Data.”
Don’t Believe The Hype !
Three Cheers For The Alien. Hip Hip Hooray !
I’ll Be Back !
Hi Beautiful !
You Facinate Me.
Look No Further …
The ‘Alien’ Virus Has Arrived !
The Alien Lives …

If the file name length is less than 9, they display:
Tip From The Alien
Longer File Names Should Be Used

The viruses also contain “copyright” text:
End of Fun (All good (and bad) things DO come to an end !)
This Code was written in Chandigarh (India) on 01.08.1996
Behold the Alien Virus !! Lets See how it survives !

Details
Macro.Word.Alex.e

This is an encrypted Chinese Word macro virus. It contains from three to five macros depending on the virus version: autonew, autoopen, autoclose, toolsmacro.
The virus replicates itself when documents are created (autonew), opened (autoopen) or closed (autoopen). Depending on the current day it erases the files on the C: disk. The virus inserts the command that formats the hard disk in the AUTOEXEC.BAT file.

Details
Macro.Word.Alex.c

This is an encrypted Chinese Word macro virus. It contains from three to five macros depending on the virus version: autonew, autoopen, autoclose, toolsmacro. It also contains empty macro:
CONAIR
The virus replicates itself when documents are created (autonew), opened (autoopen) or closed (autoopen). Depending on the current day it erases the files on the C: disk.

Details
Macro.Word.Alex.b

This is an encrypted Chinese Word macro virus. It contains from three to five macros depending on the virus version: autonew, autoopen, autoclose, toolsmacro. It also contains empty macro:
UNDER
The virus replicates itself when documents are created (autonew), opened (autoopen) or closed (autoopen). Depending on the current day it erases the files on the C: disk.

Details
Macro.Word.Alex.a

This is an encrypted Chinese Word macro virus. It contains from three to five macros depending on the virus version: autonew, autoopen, autoclose, toolsmacro. It also contains empty macro:
ALEX
The virus replicates itself when documents are created (autonew), opened (autoopen) or closed (autoopen). Depending on the current day it erases the files on the C: disk.

Details
Macro.Word.Akay

This is an encrypted macro virus. The virus replicate on opening files (AutoOpen). It contains four original macros, that are copied to six macros during infections:
Documents NORMAL.DOT
Macro1 AutoExec AutoExec
AsliAutoExec AsliAutoExec
Macro2 FileOpenx FileOpen
Macro3 AutoOpen FileOpenx
AutoOpenx
Macro4 AntiMacrosVirus AntiMacrosVirus

While installing the virus searches for 42 macros of other viruses and deletes them. On each start the virus displays the MessageBox:
Created By Akay Inc.
Microsoft Anti-Virus Protection version 1.0

Details
Macro.Word.Agent

This is a polymorphic and stealth Word macro virus. It contains one macro “AutoOpen” and replicates on opening documents . The virus deletes the following menu items:
Tools/Macro, Tools/Customize, File/Templates, Format/Style.

The mutation (polymorphic) engine, depending on the random counter, inserts random comments into random positions into the virus code and renames some virus variables with random selected name. This engine is “slow” because it is executed only if, on infection, the current seconds are 23 or 45 only. As a result, in 97% of cases the polymorphic engine will not be executed and the “child” infector will have the same code as “parent” one.
Depending on the random counter the virus sends a copy of current document to Internet news-groups, so to spread itself the virus uses global networks. It also can be a reason of confident information disclosing, if it is a part of document that is sent to Internet.
To post documents to Internet the virus executed the news client AGENT.EXE, selects one of the news-groups (see the list below) and sends a message to there. The message has one of several possible Subjects (see the list below), the text “WM/Agent by Lord Natas” continued with random selected characters and attached infected document.
The list of news-groups looks like follows:
alt.aol-sucks alt.sex.zoophilia
alt.binaries.cracks alt.windows95
alt.binaries.pictures.erotica alt.sex.passwords
alt.binaries.warez.ibm-pc alt.binaries.warez
alt.conspiracy alt.binaries.sounds.mp3
alt.drugs.pot alt.comp.virus
alt.fan.hanson alt.2600
alt.flame alt.2600.hackerz
alt.hacker alt.skinheads
alt.sex alt.sex.babies
alt.sex.necrophilia alt.sex.bondage
alt.sex.stories

Subjects are:
Free XXX Passwords New Virus Alert!
Check this out! Serial Number List!
Official WaReZ site list Official mp3 site list
Easy Money! Elite XXX site list
My first fuck by Todd New erotic story
Hanson rulez! Important Princess Diana Info
Warez mailing list details Important Monica Lewinsky Info
Crackz mailing list details How to find child pornography
Learn to hack! Cable TV descrambler instructions!
Attn: All k3wl h4ck3rz Kewl N64 Emulator & MP3 sites
Important Info

Details
Macro.Visio.Unstable

This is the second macro-virus that also has pretensions to be The Number One in the “Macro.Visio” family. This virus is more complex than Macro.Visio.Radiant – it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes “Visio2k.Unstable” into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor’s main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it’s hard to be the one who’s strong
Who’s always got a shoulder to cry on
Who’s got a shoulder for me?

The virus contains three procedures in module “ThisDocument” – “Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.

Details
Macro.Visio.Radiant

This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams – see http://www.visio.com). To automate data processing, Visio uses macro-programs written in VBA language (Visual Basic for Applications) – the same that is used in MS Office applications. As a result, the viruses in Visio are very similar to MS Office viruses, and they are able to infect Visio files in a very similar ways.
The virus itself is rather simple. It contains one procedure that is assigned with the “BeforeDocumentClose” event (it is activated upon document closing). When the virus procedure gains control, it enumerates and infects all opened documents. Because of the internal structure of Visio, the virus, while searching for documents, enumerates not only document files, but also stencils and templates as well.
The Visio stencils are similar to, for example, Word templates. These files contain library data for common use while creating and editing Visio documents. These stencils are automatically opened and processed by Visio in case of need (if a document uses them). In case these stencils are infected, the virus is loaded when a document accesses an infected stencil, and is activated upon this stencil’s closing. At this moment, the virus infects all Visio files that are opened. As a result, if Visio stencils are infected, every document that is created or edited will be infect upon closing.
Because of this Visio feature, the virus can spread very quickly through Visio files.
The virus has a payload procedure: upon every launch, it creates the INDEX.HTML file in the root directory of the C: drive. This file contains following message:
A Multitude of Suns
Orbit in Empty Space
They Speak with their light
to all that is dark.
To me they remain silent.

Greets to all the VX Community
And Radiant Angels

itsall…

Radiant

At the very end of the virus macro-code there is a short line of symbols (a comment). It seems this line is encrypted information about the virus author, but the type of cipher and the key used for encryption of the text string are unknown.

Details
Macro.PPoint.ShapeShift

This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module “ShapeShift”: actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation.
To activate its code on a event the virus hooks MouseClick that pass control to the virus “actionhook” macro. This macro runs the infection routine: the virus affects all active presentations, then searches for presentation files in the current directory and subdirectories and infects them.
Depending on the system random counter the virus changes the active slide number. Also depending on the random counter the virus displays the MessageBox:
PPT.ShapeShift v0.1 /1nternal