Virus Database

Glue.4000.a

Description Glue.4000.a

It is a very dangerous memory resident multipartite virus. It writes itself to the end of .COM and .EXE files and to the MBR of the hard drive and boot sectors of floppy disks. The virus is encrypted in files. While accessing to infected disk sectors the virus calls its stealth routine.
When an infected file is executed, the virus hooks INT 21h and stays memory resident. It then infects the files that are executed or opened. Before infecting a file, the virus infects current disk (MBR in case of hard drive, or boot sector in case of floppy disk). While infecting a disk the virus overwrites the boot or MBR sector, then writes its code and original boot/MBR sector to the disk sectors that are then marked as bad ones. Reinfection of disks and files is possible. In some cases the virus corrupts the floppy disk boot sector while infecting. The virus also has other bugs and may halt the system while infecting a file.
On FindFirst/Next DOS calls the virus calls its stealth routine and shows decreased length of infected files. When BACKUP.COM or CHKDSK.COM utilities are run, the virus disables that routine.
While loading from infected disk the virus hooks INT 13h, waits for DOS loading process, then hooks INT 21h and INT 9 (keyboard). INT 9 handler contains a counter and increases it on any keystroke. When this counter reaches 10000, the virus starts to disable writing to disk (INT 13h) without any error message or return code. That will corrupt the files while writing to them.
The variants of this virus contain the text strings:
"Glue.4000.a":
COMEXEBACKUP.COMCHKDSK.COM
The Digital Glue (C) 1990,1991 by Eastern Digital
1900 Timi$oara
THE END

"Glue.4000.b":
COMEXEBACKUP.COMCHKDSK.COM
Lipici (C) 1991 by Eastern Digital
1900 Timi$oara

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Argh

Description Macro.Word97.Argh

The virus code contains fifteen macros in one module "NewMacroses". The virus spreads on creating, opening, closing documents as well as on exiting Microsoft Word. On infecting the system the virus copies original NORMAL.DOT to user template directory with the WINDOT.DLL name, and infected NORMAL.DOT with the WININF.DLL name.
On selecting the ToolsMacro menu the virus checks the number of opened documents. If no documents are opened, the virus displays the message:
Microsoft is protecting your normal.dot from virus infection You can
only add macros to other documents

Otherwise the virus removes itself from normal template and on leaving the ToolsMacro dialog window reinfects it.
While infecting the virus with probability 2% displays the assistants balloon:
Help me
I'm not feeling very vell .. AAARGHH!!!

Macro.Word97.Attention

Description Macro.Word97.Attention

These viruses contains only one macro AutoOpen and replicate themselves on opening documents. They contain the comments:
------------------------------
!!!!Attention!!!!Attention!!!!
------------------------------
This is *NOT* a Wazzu Varient!
This Virus is called AntiFWIN!
FWIN's Heuristics do not Work!
------------------------------

Home