Macro.Word.Mente
Details
Macro.Word.Mentes
This is an encrypted Word macro virus. It contains ten macros: Killer, AutoExec, AutoOpen, DocClose, FileOpen, FileSave, AutoClose, FileSaveAs, ListMacros, ToolsMacro.
The virus replicated on opening an infected document, saving and saves with new name. The replication routine presents only in one macro Killer, other macros call it to spread the virus. The infection subroutine in the virus is named “MENTES”.
The virus author leaves a possibility of self-destruction: if the MY.INI file exists in Windows directory, and it contains the section [Word Info] with the “Kod=aaa” string inside, the virus disables its infection routine and removes all its macros.
The virus is able to “steal” documents when they are saved. To do that the virus writes the C:\LOGIN.SYS file name of closed document, current date, time and contents of the document. It then connects the \\\HS_WORKH\COMMON\STUDENT\TEMP disk and moves to it the C:\LOGIN.SYS file to the first logical drive that is write-enabled. The name of new file is ARCHIVE.A??, where ‘??’ is number from “10″ till “50″. This file name is also saved to the PROG.INI file on the same disk.
On entering the List/Macros and Tools/Macro Word menus the virus displays the MessageBox and cancels execution of original macros viewing routines (stealth):
Macro function is not installed.
Related Posts