Virus Database

Infiltrator.304

Description Infiltrator.304

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the zero area (if it is found) of .COM files that are modified (INT 21h, AH=40h). The virus contain the text string:
INFILTRATOR

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Melissa.w (a.k.a .W97M.Pri.Q a.k.a. W

Description Macro.Word97.Melissa.w (a.k.a .W97M.Pri.Q a.k.a. W

This virus spreads as an ordinary macro-virus and at the same time, it has the ability for spreading via e-mail. The e-mail spreading routine is very similar to that which the Macro.Word97.Melissa virus uses. Each time the virus gains control, it runs an e-mail-spreading routine. This routine attempts to gain access to the MS Outlook application. If the attempt is successful, the routine creates new e-mail messages sent to the first 50 recipients from each address list in the Outlook address book. The virus messages contain:
Subject: Message From
Body: This document is very Important and you've GOT to read this !!!

The messages also contain an attached infected document.
To prevent duplicate messages being sent from the same computer, the virus creates a registry key. Each time before spreading via e-mail, the virus checks this key and if it is present, the virus does not create messages. The registry key is:
"HKCUSoftwareMicrosoftOfficeCyberNET" = "(C)1999 - Indonesia by AnomOke!"

The virus has a payload that triggers on 25 December. On this day, the virus overwrites the "C:AUTOEXEC.BAT" file by putting in commands that attempt to format the C: drive upon the next reboot. The virus then displays the following message:
(C)1999 - CyberNET
VineallVide...Vice...Moslem Power Never End...
You Dare Rise Against Me...The Human Era is Over, The CyberNET Era Has Come !!!

The payload routine also inserts up to 70 different shapes of random colors into the active document.
The virus uses a VAMP-based polymorphic engine that changes variable names in the virus code randomly.

Macro.Word97.Metamorph

Description Macro.Word97.Metamorph

It is a stealth macro virus. It contains five functions in documents in the one module "Metamorph": AutoOpen, FileTemplatesTemp, ToolsMacroTemp, ViewVBCodeTemp, AutoExecTemp. In the NORMAL.DOT the virus contains six functions in one random named module: FileSaveAs, AutoOpenTemp, FileTemplates, ToolsMacro, ViewVBCode, AutoExec. The name of this module is saved in the METAMORPH.INI file in section [Infected] in line Reponse.
The virus infects the global macros area on opening an infected document. Other documents get infection on saving with new name (FileSaveAs). The code of virus is different in documents and NORMAL.DOT - the virus modifies it while copying itself into the system. It creates new infection function FileSaveAs and stealth-functions ToolsMacro and ViewVBCode. While infecting documents the virus imports its original code from the C:METAPH.LOG which is created when the virus infects the system.
When Word starts the virus changes the names of menu items "File", "Edit", "View", "Format" with their french variants. Depending on the system date and time the virus displays the MessageBoxes:
Virus Metamorph
Attention, j'ai contaminé votre ordinateurall
Virus metamorph
Il est
L'heure de metamorph
Virus Metamorph
Au revoir...
Virus Metamorph
Poufffff!!!!!!

On displaying the last MessageBoxes the virus erases the files:
C:WindowsSystem*.*
C:WindowsCommand*.*
C:Windows*.Com
C:Dos*.*

Home