Details
Macro.Word.Milicrypt

This virus contains 7 macros: ToolsMacro, Sel, FileSave, FileSaveAs, Mili, Crypt, AutoOpen. The virus contains the “copyright” string:
MiliCrypt (C) 1998 by CyberYoda [SLAM]

Infection routines are placed in Mini macro (in documents) or Crypt (in NORMAL.DOT). The virus infects the global macros area on opening an infected document. The document are infected on saving or saving with new name.
On saving documents on disk (FileSave, FileSaveAs) the virus encrypts their contents, and decrypts it on opening (AutoOpen). The encryption key is stored in AutoOpen macro description. As a result while editing the documents are not encrypted, but they have encrypted on disk - the virus realizes on-the-fly en/decryption for infected documents. After cleaning virus macros (disinfecting) documents stays encrypted and useless, so before disinfection that is necessary to save documents contents to some other non-Word-document format (text or RTF).

Related Posts

This entry was posted on Friday, June 29th, 2007 at 11:50 am and is filed under Virus Threats.