Virus Database

I-Worm.Pikachu

Description I-Worm.Pikachu

This worm spreads via the Internet using Microsoft Outlook and spreads in e-mail letters with the attached file "PikachuPokemon.exe". The worm itself is a Win32 EXE file written in Visual Basic 6.0, file size is about 32K.
When the worm runs, first of all it overwrites the original C:AUTOEXEC.BAT file with instructions that will delete all files in the Windows and Windows system directory.
Then it searches the address book of Microsoft Outlook and creates, in the Outbox folder, letters for each e-mail address:
Subject:
Pikachu Pokemon.
Text:
Great Friend!

Pikachu from Pokemon Theme have some friendly
words to say.

Visit Pikachu at http://www.pikachu.com
See you.
And to each letter, the worm attaches itself as the file PikachuPokemon.exe.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Printer

Description Macro.Word.Printer

This is an encrypted Word macro virus. It contains 5 macros in documents and 10 in NORMAL.DOT:
Documents NORMAL.DOT
LPT1 FileOpen, LPT1
LPT2 FilePrint, LPT2
Canon FileSaveAs, Canon
Epson Epson, FileTemplates, ToolsMacro
AutoOpen AutoOpen

The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs).
On entering the Tools/Macro the virus displays the MessageBox:
Weeee Weeee

On printing documents the virus writes to the status line the message and draws it to right:
Know what Dwira Oktorianto is, before it is too late

Macro.Word.Prizm

Description Macro.Word.Prizm

This is an encrypted Word macro-virus. It contains nine macros: PRiZM, AutoExec, AutoOpen, FileOpen, FileSave, FilePrint, FileSaveAs, ToolsMacro, and FileTemplates.
It is based on the "Word.Cap" virus, has a similar structure and instructions set. It replicates upon document opening, closing, and saving.
While printing, the virus appends a string to the end of the document that is printed:
Battle of life. Capital!!!

The virus has an unusual method of infection. While infecting, the virus performs several steps, uses the system registry, and drops an additional EXE file. The infection routine is placed in the virus' code as a set of text strings that are DDE (Dynamic Data Exchange) instructions. If needed, the virus executes them, and these instructions copy the virus' code to target the documents and templates.
To execute its DDE instructions, the virus saves them to the system registry in the "HKEY_CLASSES_ROOT###fileshellopenddeexec". The virus then registers a new extension "###", and sets DDEEXEC as a handler of files with such an extension.
The virus then creates a randomly named EXE file in the Windows temporary directory, and writes a short program into it. This program only creates and opens the "PRiZM.###" file. This file-name extension is linked with DDEEXEC, and as a result, Windows activates the virus, DDE instructions, executes them and they copy the virus code to a victim file.

Home