Virus Database

HLLP.Tomsk.8506

Description HLLP.Tomsk.8506

This is a relatively harmless, non-memory resident parasitic virus written in Pascal. It searches for EXE files in all directories on the current drive, then writes itself to the beginning of the file. To return control to the host program, the virus temporarily disinfects and executes the host file.
The virus also checks write-protect for the current drive. If the current drive is write-protected, the virus displays the following message:
Runtime Error: Disk fool or write protect

and terminates.
On October 20th, the virus displays a message in Russian and waits for a keystroke.
If the command line contains the /? argument, the virus displays its "About" message:
ã====================================-
ƒ Virus 3.14Zdec V 2.0 ƒ
ƒ------------------------------------ƒ
ƒ Target *.EXE ƒ
ƒ Stealth No ƒ
ƒ TSR No ƒ
ƒ Attac speed Slow ƒ
ƒ Danger 0 ƒ
ƒ Effects Yes ƒ
ƒ Length KingSize= ƒ
ƒ Language Turbo Pascal ƒ
ƒ OS Dos, Windows ƒ
ƒRussia, Tomsk, 20/11/1999 ƒ
L====================================-

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Nail.a

Description Macro.Word97.Nail.a

This macro virus spreads its copies through the E-mail. While replicating it sends opened (infected) document to everyone in the user's address book. It also sends a message to somebody at "chainnail@hotmail.com" that contains all addresses from user's address book and random selected message from the Inbox.
While infecting the virus does not copy its code into documents or templates, but writes to victim files reference to AUTO.DOT template (attached template, see "Macro.Word97.ATU". When Word opens such document, it looks for attached templates, and loads them. The virus' template AUTO.DOT is stored on a hacker's Internet Web site, and as a result the virus author can "upgrade" the main virus code at any time.
The virus code contains the comments:

Automated Chain Mail v0.1

Macro.Word97.Natas

Description Macro.Word97.Natas

It is polymorphic and stealth macro virus. It contains six macros in the one module "Chaos": AutoOpen, FileNewDefault, FileNew, ToolsMacro, FileTemplates, ViewVBCode, FormatStyle.
The virus infects the system on opening an infected document. Infection does not modify the NROMAL.DOT file - the virus saves infected file in Startup path and in C:WINDOWSSHELLNEWWINWORD8.DOC directory. Documents get infection only on creating.
The virus polymorphic engine inserts at random places into virus code comments: "Rem " or "'". The virus disables macro code viewing (stealth) by dummy macros ToolsMacro, FileTemplates, ViewVBCode.
The virus contains the comments:
W97M/Chaos by Lord Natas
2/12/98 (its about time I released it!)
"Without the threat of death there's no reason to live at all"
-Marilyn Manson

Home