Details
Macro.Word.Baluade
This is an encrypted macro virus. It contains two macros: AutoOpen, ReadMe. It infects the global macros area on opening an infected document (AutoOpen). The ReadMe macro is copied to the NORMAL.DOT with new name DateiSpeichern. The virus sets two passwords: “SSichliebeDich” and “SSICHLIEBEDICH”.
Details
Macro.Word.Balrog.a
This is the encrypted macro virus. It contains only one macros “AutoClose” and infects the global macros area and documents on File/Close call. This is a Spain-specific macro virus – it does work only under Spain-Word version. Under other versions it overwrites the C:\COMMAND.COM file with a copy of the current document.
Depending on a random counter it appends the text to the end of current document:
P.S.: You are a very stupid people.
P.S.: I hate you a lot.
P.S.: I wish your death.
P.S.: All the things I told you are lies.
P.S.: Call me if you need sex.
Details
Macro.Word.BadBoy.a
This is an encrypted virus, it contains five macros: AutoOpen, FileSaveAs, BadBoy, AutoExec, FileNew. The virus infects the system on AutoOpen and writes itself to files on FileSaveAs.
While infecting a document the virus also sets new FileSummaryInfo:
Author = “Kenny-G sux”
Keywords = “Gangsta Rappa”
Comments = “The Mutha mix”
On AutoOpen, if the system is already infected and current day is 1st or 13th, the virus displays the message boxes:
Mack daddy
Bad Boy, Bad Boy, What u gonna do
the Gangsta Rappa
What u gonna do when they come for you
BMF
The Gangsta owns you !
BMF
Have a happy new year !
Then it sets the password for current document: “gangsta”.
To hide itself in the system the virus on FileNew, AutoExec and AutoOpen removes the menus Tools/Macro, Tools/Customize, File/Templates.
Details
Macro.Word.Azrael.a
This macro-virus contains one macro “auto-open” and spreads upon document opening. On the 23rd of any month, it deletes all files with a .DLL extension in the C:\WINDOWS\SYSTEM\ directory, and displays the following message:
Azrael cleaned your system directory !!!
The “Azrael.b” virus on 23′th deletes all .DLL files in the E:\TEMP\1directory and does not displays any message.
Details
Macro.Word.Attcah
This virus contains two macros: AutoOpen, FileClose. It infects the global macros area on opening an infected document (AutoOpen) and infects documents on closing (FileClose). The virus deletes the Word.Macro.Concept virus macros. The virus contains the text:
Attcah the antivirus to the file
Details
Macro.Word.Attack
This is an encrypted macro virus. It contains eight macros: Attack, AutoOpen, FileSaveAs, FileOpen, InActive, Active, ToolsMacro, Organizer. It infects the global macros area on AutoOpen call and writes itself to the documents on FileOpen and FileSaveAs calls.
To hide its code the virus disables the ToolsMacro and Organizer menus. Depending on the system random counter the virus either sets the Hidden attribute for current file or inserts the strings into document:
This is The Microsoft Bang! ** Virus** —
Details
Macro.Word.Atom
These viruses contain four macros: Atom, AutoOpen, FileOpen, FileSaveAs, and infects Word while loading an infected document (AutoOpen).
The viruses infect files in two ways: while opening a file (command File/Open, macro FileOpen), and while saving a document with new name (command File/SaveAs, macro FileSaveAs).
While infecting a document while saving it with new name (FileSaveAs) the virus checks the system time. If the value of seconds is equal to 13 the virus set the password ATOM#1 for this document. The virus cannot set the password if the file is already infected – Word displays the WordBasic error message.
While opening an infected document on 13th of December the virus deletes all files in the current directory. It seems that the system has to display the error message while deleting opened files.
“Atom.a”-related macro viruses differ from “Atom.a” only by placing their WordBasic text strings in virus source code. “Atom.g” is “Atom.a”, translated to German – it contains macros: Atom, AutoOpen, DateiÖffnen, DateiSpeichernUnter.
Details
Macro.Word.Asli
This is an encrypted macro virus. It contains six macros:
Documents NORMAL.DOT
AutoExec, AsliAutoExec AsliAutoExec, AutoExec
FileOpenx FileOpen
AutoOpen, AutoOpenx FileOpenx
AsliAutoExec AsliAutoExec
AntiMacrosVirus AntiMacrosVirus
It infects the global macros area on AutoOpen, documents get infection on FileOpen.
The virus erases macros with names from the the list (total 42 names):
FileOpen, AutoOpen, FileClose, AutoClose, FileNew, AutoNew, FileSave,
AutoSave, FileSaveAs, FileTemplates, FilePrint, AutoExec, ListMacros,
Organizer, Nobita, Doraemon, SonGoku, DragonBall, ToolsMacro, ViewToolbars,
InsertObject, InsertPicture, InsertSymbols, ToolsCustomize, Delete, Hapus,
Show, Gfxx, TableFormula, Anti, Airwolf, KnightRider, RoboCop, Nsr,
Tiger2000, Rxz, Rumus, Salin, User, PhilarUndip, AirWolf, DragonBall,
CrazyVirus.
Details
Macro.Word.Armadillon
This is an encrypted macro-virus. It contains four macros: Autoexec, FileSaveAs, AutoOpen, and ToolsMacro. Upon AutoExec and AutoOpen calls, the virus infects the global macros area. Upon FileSaveAs, the virus writes itself to documents. On Tuesday, the virus displays the MessageBox:
Liven up Monday with an Armadillon!
Upon accessing the Tools/Macro menu, the virus inserts 10,000 strings into current document:
Armadillon Macro?
Details
Macro.Word.Archie
This macro virus contains five macros: Archie, AutoOpen, AutoExec, AutoNew, AutoClose, and infects the global macros area and documents on listed above auto-functions. “Archie” is the virus-ID macro, it contains the text remark:
A Virus from Nightmare Joker’s Demolition Kit!
Translated into English by Dark Night (VBB)
Details
Macro.Word.Archfiend
This Word macro virus contains six macros: AutoExec, AutoOpen, FileOpen, ArchFiend, FileSaveAs, ToolsMacro (stealth). The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs).
On 5th of any month the virus: on Macintosh erases all files and displays the MessageBox:
ArchFiend
On PC it erases BMP files in Windows directory (C:\WINDOWS\*.BMP) and creates the FIEND.TXT there containing the text:
##################
## WM.ArchFiend ##
##################
Nrsi:lshoi:m{{i:mhsnn t:st:St~ut is{{;
XOR by 1ah
Your Unlucky Number is: < ½ á ¡«Ñ ¿ ½«>
While saving a document with new name, if current time is 13 seconds, the virus sets for the document a random selected password. On entering the Tools/Macro menu the virus writes to the C:\AUTOEXEC.BAT file the command:
echo BLOW ME!
Details
Macro.Word.Appder.a
This Word macro virus contains two original macros, but while infecting documents copies them to three macros:
NORMAL.DOT Infected files
Appder -> Appder, AutoOpen
AutoClose AutoClose
The virus infects the global macros area on AutoOpen and writes itself to documents on AutoClose. It also creates the “NTTHNTA=value” line in the “[Microsoft Word]” section in WINWORD6.INI file and increases this value while infecting any document. When this value reaches 20, the virus deletes the files:
C:\DOC\*.EXE
C:\DOC\*.COM
C:\WINDOWS\*.EXE
C:\WINDOWS\SYSTEM\*.TTF
C:\WINDOWS\SYSTEM\*.FOT
Details
Macro.Word.Apparition
This is quite a primitive virus. It is dropped by Windows EXE virus “Win.Apparition”. It contains three macros: WWUpdated, AutoOp (AutoOpen), FileOpen.
WWUpdated is the virus ID-macro. The virus detects its presence in the system by using this name. Macro AutoOp (AutoOpen in NORMAL.DOT) installs the virus macros into the system on opening an infected file. Macro FileOpen infects files on opening.
The virus contains the text strings, but does not use them in any way:
Presence of AVP for winword
AVP for Winword is a nice tutorial
(C) 2 Rats Soft.
this macro loaded in normal template as FileOpen
AVPcopyright$ AVP for WinWord v1.0
sQuestion$ Would you like to
Details
Macro.Word.Antiavs
This is an encrypted Chinese Word macro virus. It contains nine macros: AutoExec, AAV, AutoOpen, AutoNew, FileSaveAs, ZlockMacro, FileTemplates, ToolsMacro, Organizer.
The virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to documents that are saved with a new name (FileSaveAs).
On entering the File/Template menu (FileTemplate) the virus sets the password “AntiAVs” for current document and displays the MessageBox:
WordBasic Err = 16
Not enough memory!
On entering the Tools/Macro menu (ToolsMacro) the virus erases all texts within current document and appends to the AUTOEXEC.BAT file the commands that erase the anti-virus PC-CILLIN files:
echo off
attrib -h -r -s +a c:\pc-cil~1\*.* >nul
del c:\pc-cil~1\*.dll >nul
The virus then erases the anti-virus files:
C:\PC-Cillin 95\Lpt$vpn.*
C:\PC-Cillin 97\Lpt$vpn.*
C:\Tsc\PC-Cillin 97\Lpt$vpn.*
C:\Zlockav\Gsav.cas
C:\VB7\Virus.txt
C:\Program Files\Norton AntiVirus\Viruscan.dat
C:\Program Files\Symantec\Symevnt.386
C:\Program Files\McAfee\VirusScan95\Scan.dat
C:\Program Files\McAfee\VirusScan95\Mcscan32.dll
C:\Program Files\McAfee\VirusScan\Scan.dat
C:\Program Files\McAfee\VirusScan\Mcscan32.dll
C:\Program Files\Command Software\F-PROT95\Sign.def
C:\Program Files\Command Software\F-PROT95\Dvp.vxd
C:\Program Files\AntiViral Toolkit Pro\Avp32.exe
C:\Program Files\AntiViral Toolkit Pro\*.avc
C:\Tbavw95\Tbavw95.vxd
Depending on the system random counter the virus writes the text to the AUTOEXEC.BAT file:
@Echo off
cls
echo I have clean a huge virus:
echo MS-WINDOWS
echo for you. ^_^
echo –AntiAVs–
echo y|format c: /u /v:AAV >nul
deltree /y c: >nul
Details
Macro.Word.Anti-IVX
It is not a dangerous semi-polymorphic macro virus. In infected documents it contains one macro AutoOpen that infects global macros area while opening an infected document. In infected NORMAL.DOT in contains two macros. The first macro is a copy of AutoOpen macro and has a random selected name. The second macro has the name FileSaveAs and infects documents that are saved with new name.
The virus is semi-polymorphic – while copying its AutoOpen macro it renames its internal values to other names, generates random name for copy of AutoOpen macro. While creating FileSaveAs macro the virus inserts commands that are selected from several variants and inserts random selected comments.
While infecting global macros area the virus creates the IVX.NOT file in the directory of the host file and writes the text to there:
IVX detects all macro viruses, past, present, and future.
It adds the command to the C:\AUTOEXEC.BAT file that clears the Read-Only attribute of NORMAL.DOT file:
@ATTRIB -R WordDirectory\NORMAL.DOT > NUL”