Virus Database

HongKong.4056

Description HongKong.4056

This is a relatively harmless, memory resident encrypted parasitic virus. It writes itself to the end of COM files (except COMMAND.COM), to the middle of EXE files and to the MBR of the hard drive. When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 13h and 21h (as well as upon loading from infected MBR), and then infects files that are executed. By hooking INT 13h, the virus realizes its stealth routine and does not allow read/write from/to infect the MBR sector.
When an infected file is executed, the virus checks the command line. Depending on some characteristic in this line (double-byte Chinese letter?), the virus either disinfects the MBR, or displays the following message:
HONG KONG 1997

This message is also displayed by the virus on July 1st.
The virus uses several tricks. While infecting the MBR, it fills the Disk Partition Table with data that makes MS-DOS (including DOS 7.0) to go to endless loop while loading from a floppy disk. As a result, it is not possible to detect/disinfect this virus by loading from a non-infected floppy disk with an anti-virus or data rescue tool.
The second trick is on-the-fly en/decryption by using the Trace mode (INT 1). 90% of the virus' Assembler instructions are mixed with random junk bytes. By using a tracing mode, the virus skips these junk bytes.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Redter

Description Macro.Word97.Redter

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen
AutoClose
FuckThemAll
ToolsMacro
ToolsCustomize
ViewVBCode
Delay
The virus replicates when a document is opened or closed.
AutoOpen, AutoClose:
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
Delay:
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000
Next
FuckThemAll:
Main virus routine. Checks system parameter 'Country' and if this is 'US' , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot) of the 'RedTerrorist' module. Repeated infection will not occur. If the module is not found, the virus creates an export file 'user.vxd' in %windir%\%temp% catalogue and infects the document. After that the virus removes the export file 'user.vxd'
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
ToolsMacro:
Top level process aborted, cannot continue
ToolsCustomize
Configuration too large for memory
ViewVBCode
Error in EXE file, program too big to fit in memory

Macro.Word97.Reformasi

Description Macro.Word97.Reformasi

This is a stelth macro-virus. It infects the global macros area (NORMAL.DOT template) on infected document opening. Other documents get infected on their opening, closing and saving. While infecting a document, the virus adds the AutoCorrect entry to the document that replaces the text "yond" with a space character.
Before saving victim documents, the virus sets up hidden property for a whole text in a document and clears this property on document opening. As a result, in desinfected documents, the whole text will be invisible. One way to solve this problem is to check "View/Formatting marks/Hidden text [v]" checkbox in "Tools/Options" dialog box. Another way to make the text visible is do a commands click menu "Edit/Select All", then in "Format/Fontall" dialog box uncheck "Effects/Hidden [ ]" checkbox.
To hide itself, the virus disables the keys Alt+F11 and Alt+F8, blocks opening Visual Basic Editor, and ToolsMacro and Organaizer dialogue boxes.
The virus displays a non-standard dialogue on click "Help/About Microsoft Word"
Other two dialogs virus displays on choosing "File/Exit" menu if the day of the week is Friday.

Home