Virus Database

Alho.676

Description Alho.676

It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files, then writes itself to the end of the file. Depending on DOS version installed, its counters and other conditions the virus erases the disk sectors. Depending on its counters the virus leaves a memory resident program that hooks INT 9 and when Alt, Ctrl or Shift key is pressed, that program displays the message:
+---------------------------+
¦ CTRL,SHIFT & ALT keys are ¦
¦ reserved for internal use ¦
+---------------------------+

The virus also contains the text strings:
*.Com
Alho

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Wazzu

Description Macro.Word.Wazzu

This virus contains only one macro autoOpen and infects files when MS Word opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word opens an infected document. The virus is not encrypted and may be easily detected by scanning for text strings:
RndWorddo
wazzu do
RndWorddRgV

After infecting a document or installing into the system the virus takes a random selected word from document and moves it to random selected position. The virus repeats that up to three times depending on the random counter. Then it also depending on the random counter inserts the string "wazzu " at random selected position within document.
In detail: the virus has three subroutines in its macro:
MAIN - it is main routine and it takes control when autoOpen
macro is executed
Payload - is called by MAIN, replaces words and inserts "wazzu".
RndWord - is called by Payload, sets random selected position
within document

The virus modifies the document with the probabilities (p): replacing words - three times with p=1/5, inserting "wazzu" - p=1/4.
Wazzu-related viruses
The original "Wazzu" ("Wazzu.a") virus is one of the most widespread viruses on the world. The possible reason is that this virus was placed on the Microsoft WWW site, infected documents also were (are) distributed on several CD disks. As a result there are several dozens of related viruses, and the number of such related viruses is increasing every month. Below short descriptions are given, to name viruses CARO standard names are used (AVP does detect and disinfect majority of these viruses as "Wazzu.a").
"Wazzu.b,i" differ from original one only by included comment:
< - - - - - - here 's the payload

"Wazzu.c,t,ac" do not manifest themselves in any way - they have no Payload subroutine (RndWord subroutine presents in virus, but is never called).
"Wazzu.d,f,q,w,ad" do not have both Payload and RndWord subroutines. "Wazzu.f" is a shortest virus in the family - its code (binary data in infected file) has only 318 bytes of length.
"Wazzu.e,h" are encrypted variants of original "Wazzu". "Wazzu.h" is slightly corrupted and may halt MS Word or cause an error message.
"Wazzu.g,r" are encrypted viruses. "Wazzu.g" contains EatThis subroutine instead of original Payload. With probability 1/10 these viruses display a MessageBox with the text:
Microsoft Word
This one's for you, Bosco.

"Wazzu.k" is corrupted "Wazzu.a".
"Wazzu.l" do not have any subroutines in macro except MAIN. With probability 1/10 it appends the string " wazzu!" to the end of document.
"Wazzu.m,s" have no Payload subroutine, but call it. That will cause Word's error message.
"Wazzu.u,aa,ad" are the same as "Wazzu.a", but do not insert the "wazzu" string.
"Wazzu.x" does not contains any subroutines except MAIN. It contains the text:
The Meat Grinder virus - Thanks to Kermit the Frog,
and Kermit the Protocol

"Wazzu.y,z" are the same as "Wazzu.a", but code of these virus is slightly modified, for example all TAB (09h) symbols are replaced with 8 spaces in "Wazzu.y".

Macro.Word.White

Description Macro.Word.White

This Word macro-virus contains a different number of macros in documents and template. In documents, there are three macros with names selected from six variants: AutoOpen, AutoClose, FileTemplates, ToolsMacro, FileOpen, Einstein.
While infecting the system, the virus creates the infected NARMOL.DOT template in the Word start-up directory. In this template the virus copies four macros: Einstein, FileOpen, FileTemplates, Show.
The virus contains the comments:
Einsteinium v.1.1. (White Virus)
Solidarity M Forever
Medan 1997

Home