Virus Database

Helloween.257

Description Helloween.257

These are relatively harmless memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM and EXE files that are executed. They contain a encrypted string that contains file-name parts (4 letters per name), and the viruses do not infect these files (SCAN*.*, SHIE*.*, TRAP*.* and so on):
SCANSHIETRAPVIRUVCOPASTAALIKAZORREX.MANDUEXEUCOMVIRTCLEATSAFNAV.INI.BOOT3P.E

On November 1st, "Helloween.1376, 1384, and 1447" decrypt and display the following message:
Nesedte porad u pocitace a zkuste jednou delat neco rozumneho!
*******************
!! Poslouchejte HELLOWEEN - nejlepsi metalovou skupinu !!

"Halloween.1182" hooks INT 8, 13h, and 21h, and emulates the disk read/write error: it returns a carry processor flag upon disk access.
On February 27th, "Helloween.1376b" displays the following message:
Zdravim uzivatele pocitacu hlavne vsechny LENKY a nejvic tu nasi!
Preji ti vsechno nejlepsi k tvemu svatku ahoj P.

On 10th and 20th "Helloween.1888" displays:
Virus napsany specialne pro inzenyra ZAKA ze SPS
*******************
Nepodlehejte panice, mate nakazeno jen par souboruall
(c) 1993 II.A 1988
Tak a ted si vyzkousime treba: RESET
Kdyby kazdy nespokojeny student napsal virus, tak v nasich skolach by
ani jiny software nekoloval a McAfee by se divil...

On the 5th and 24th of the month, "Helloween.2470" displays:
_ _ _
_ _ -m
__________ ____ __ __ ------- zdrojovy
__ __ __ __ __ ƒ ƒ ƒ text:
__ __ __ ____ ------- 867 radku
__ ________ __ __
__________ __ __ __ __ & spol.
(c) 1993 II.A 1988
Specialne pro ucitele SPS Prostejov:
Ing. M. Zaka, Ing. J. Melku, Ing. P. Cizka, Ing. K. Kabrhela
Ing. M. Blahu, Ing. M. Pavlovskeho a dalsi vyucujici.
Specialni podekovani patri:
Macrosoftu (sorry Microsoftu) za MeSsy DOS
Borlandu za TASM, TLINK, TD
Zdenku Breitenbacherovi za EDDIE 1.17

"Helloween.1377" "shifts" the screen.
"Helloween.1839" checks the current date and tries to decrypt and display a message, but the virus has the bug and never displays it:
Virus napsany specialne pro inzenyra ZAKA ze SPS
*******************
Nepodlehejte panice, mate nakazeno jen par souboru...
(c) 1993 II.A 1988
Tak a ted si vyzkousime treba: RESET
Kdyby kazdy nespokojeny student napsal virus, tak v nasich skolach by
ani jiny software nekoloval a McAfee by se divil...

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Attention

Description Macro.Word97.Attention

These viruses contains only one macro AutoOpen and replicate themselves on opening documents. They contain the comments:
------------------------------
!!!!Attention!!!!Attention!!!!
------------------------------
This is *NOT* a Wazzu Varient!
This Virus is called AntiFWIN!
FWIN's Heuristics do not Work!
------------------------------

Macro.Word97.ATU family

Description Macro.Word97.ATU family

The viruses of this family use an uncommon way of spreading. Instead of copying their macro program to the macro area in victim documents, they just write to documents a reference to a template (attached template) which contains virus macros. MS Word97 when opening a such document detects the reference to the attached template, opens it and executes its macros. The virus macro gets control and runs infected procedure. As a result the infected documents have no macro code, but on their opening the virus macro code is loaded by Word97 and executed.
In the known versions of this virus the reference to attached template points to a file on a remote Internet site (virus-writers Web site). As a result, MS Word97 on opening an affected document downloads and processes the template that is placed in the Internet zone. Because of that virus author(s) are able to "upgrade" virus code by replacing the template on their Web site.
This way of spreading allows the virus to bypass the anti-virus protection (VirusWarning) in old versions of MS Word97. These Word97 versions have a security breach: the anti-virus protection is not activated by Word97 to scan attached templates for macro code. This bug in MS Word97 was fixed in the beginning of 1999.
"ATU.b": this virus version does not copy entire code from the template to global macros area, but only the code necessary to infects documents.
The viruses contain the comments:
"ATU.a":

<!--1nternal-->
Active Template Update

"ATU.b":

<!--1nternal-->
Active Template Update v0.2 /1nternal

Home