Virus Database

Antiwin_II, family

Description Antiwin_II, family

These are dangerous memory resident parasitic encrypted viruses. They trace INT 21h, hook INT 9, 21h, 2Fh and write themselves to the end of .EXE files that are executed. The viruses check the file names and do not infect several anti-virus and utilities according to the following string (four bytes per name):
DRWEAIDSMSCAANTIAVP WEB SCANMSAVVSAFGUARADINKRNLDOSXWSWADSWAWIN3

The viruses use on-the-fly encryption/decryption by hooking INT 1 (tracing), so their code is encrypted in the memory as well as in the files. The viruses have bugs and in some cases halt the computer while infecting files.
In some cases the viruses change the symbols that are entered (INT 9). On Windows initialization call INT 2Fh AX=1605h the viruses depending on the system time display the message and halt the computer:
Use registered copies of MS Windows

The viruses also contain the text:
Greetings from MrStrange, Kiev T.G.Shevchenko University
>Antiwin<, (c) by MrStrange.

The master copy of these viruses also contain the text:
MrStrange hails you from Kiev! My first virus

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Twister

Description Macro.Word.Twister

This virus does not manifest itself in any way. It contains eight macros:
NORMAL.DOT Infected documents
FileSaveAs twFSA
AutoExec twAE
twAC AutoClose
FileSave twFS
AutoExit twEX
twFC FileClose
twFE FileExit
twFQ FileQuit

The virus infects the global macros area on FileClose, FileExit and AutoClose. The documents get infection on AutoExit, FileSave and FileSaveAs.
The virus contains commented strings:
"Twister 2000" v.1 (c) Neo-Luddite Inc.
For Robin Hood

Macro.Word.TWNO

Description Macro.Word.TWNO

These viruses contain only one macro in infected documents - AutoOpen, but while infecting the system they copy it to three macros - AutoOpen, AutoNew and AutoClose. As a result, the virus infects the system on opening an infected document, and infects the documents that are opened, created or closed.
On 13th of any month "TWNO.a" displays and inserts into current document the messages in Chinese and:
NO.1 Macro Virus

On 25th of any month "TWNO.b" deletes the files C:DOS*.*, C:WINDOWS*.INI, renames menus, displays the messages in Chinese and:
MERRY CHRISTMAS

On 15th of any month this virus deletes the files: C:COMMAND.COM, C:AUTOEXEC.BAT, C:CONFIG.SYS, C:MSDOS.SYS, C:IO.SYS
"TWNO.c" on created a new documet insert the text string:
A monkey has controlled your Word!!!

Home

Viruses from A to Z
0-9 A B Ñ D E F G H I J
K L M N O P Q R S T
U V W X Y Z

    Copyright © 2005 Virus-Database.com
© 2005 Virus-Database.com