Virus Database

Energy

Description Energy

"Energy" is a dangerous memory resident boot stealth virus. It writes itself to the MBR of the hard drive and to boot sectors of floppy disks. While infecting the hard drive the virus stuffs the 'Y' key into the keyboard buffer to fool BIOS virus protection. The virus has bugs in floppy disk infection routine - it infects correctly only 1.4M floppy disks and corrupts data on 360K, 720K and 1.2M disks. To run its infection and stealth routines the virus hooks INT 8, 13h, 2Fh.
In one month after infection the virus displays the message:
INT 13h points to => xxxx:xxxx Virus detected! (c) 1997 »-» ¡Energy!
Boot anti-virus! For details & upgrades call : Tel: (401) 778.08.48

where "xxxx:xxxx" is the address of INT 13h handler.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Hot

Description Macro.Word.Hot

This is encrypted virus. It contains the macros: AutoOpen, InsertPBreak, DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus renames the ToolsRepaginat macros to FileSave, and then infects the existing documents that are saved on disk (FileSave). While infecting the documents the virus renames FileSave macro back to ToolsRepaginat name.
While infecting the system the virus inserts the string "QLHot=nnnn" into the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the number of current day of this century plus 14, for example:
QLHot=35110

The next days the virus selects random value from 1 till 6, and adds to the "triggering day". If the result is equal to the current day, the virus deletes the file before saving it to disk.
14 days after last modifying of the "QLHot" string the virus renews it.
The virus does no action if there is the C:DOSEGA5.CPI file.
The virus does not work under Microsoft Word 7.0. While opening the infected document the system displays the message:
Unable to load specified library

Macro.Word.Hunter.a

Description Macro.Word.Hunter.a

These are encrypted German-specific macro viruses. They contain three macros: AutoOpen, DateiNeu, ExtrasMakro. The viruses do not use any copy-macros function to spread themselves. To infect the system they save an infected document to the Winword startup directory with the name:
"Hunter.a": WINWORD.DOT
"Hunter.a,b": AutoStrt

The viruses then register that file as "Add-In" template.
The viruses infect the documents on DateiNeu (FileNew) call. They create new document, insert the infected Add-In and clean its contents. As a result on creating new file the virus loads already infected clean file (template).
The ExtrasMakro (ToolsMacro) macro is used to hide virus macros in infected system.
"Hunter.a,b" depending on the system timer display the MessageBox:
<HeadHunter V3.0>
One - You lock the target
Two - You bait the line
Three - You slowly spread the net
And four - You catch the man

"Hunter.c" depending on the system timer inserts into its macros random selected strings.
The virus contains the commented texts, the second line contains different version numbers and dates in viruses:
********************************************************************
*** <HEADHUNTER V3.0> by Neurobasher, 17.10.1995, Germany ***
*** Boring experimental Winword virus with minor retro & stealth ***
********************************************************************
*** "I'm looking for a man who knows the rules of the game" ***
*** "Who's able to forget them to realize my aim" ***
********************************************************************

Home