Virus Database

Janka.1336

Description Janka.1336

It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus does not infect files that contain substrings in names:
WEB, AVP, EST, AND

On 24th in any month the virus destroys data on the first hard drive.
The virus contains the text string:
[Janka [1.05D], 1998]

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Story

Description Macro.Word97.Story

This macro-virus contains one macro that has different auto-names in infected documents ("Document_Open") and in the global macros area (NORMAL.DOT - "Document_Close"). As a result, the virus activates upon document opening and closing. It infects the global macros area upon infected document opening, and spreads to other documents upon closing.
While infecting, the virus also disables the Word macro virus protection (Virus Warning), as well as disables the Word menus: "Tools/Macro", "Tools/Customizeall", "View/Toolbars", "View/Status Bar".
The virus has a comment line that is used by the virus to separate infected and uninfected documents. This text appears as follows:
Jack-In-The-Box

The virus has worm ability and spreads its copy via IRC channels. To do this, the virus-worm looks for the mIRC client installed in a system, and creates a new SCRIPT.INI file there. The virus looks for the mIRC client in only one directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any other directory. While infecting the mIRC client, the virus also disables its security warning messages. To spread itself via IRC channels, the virus sends the infected document C:WINDOWSSTORY.DOC that is created by the virus when it infects a system. The virus simply saves the current (infected) document there.
The virus' script file contains a set of mIRC commands (about 4.5Kb of mIRC instructions) that perform many functions, including spreading via channels, displaying messages, sending spam messages and hiding itself.
The virus sends its copy (the STORY.DOC document) in three instances:
instance 1. Upon receiving any file from any person via IRC, the virus script immediately sends back the infected STORY.DOC file.
instance 2. The virus uses the mIRC's notify list. The notification list in the mIRC client contains a list of nicks, and in the case that any of these nicks appears on the net, the current client is informed of this (receives notification). In the case that an affected mIRC client is notified about such a person, the virus performs the following: removes this nick from the notification list; ignores all messages from this nick; and in 5 seconds, sends a message, which in turn is followed 15 seconds later by a copy of the virus (infected Word document - C:WINDOWSSTORY.DOC). The message that is sent to the nick appears as follows:
Hey, I can't talk right now but I wanted to send you this file. It has a
funny story you should read, and also has macros inside that protect you
from a lot of viruses. Just open the document, enable the macros, and if
you are infected it will get rid of the virus

instance 3. Upon receiving the "Invite" command from any nick, the virus script, within 10 seconds, joins this channel and then sends the message to this person followed by the same infected STORY.DOC file:
Thanks for the invite
I'm a little busy so I can't talk much now. I thought you might want to
look at this file I got. It has a funny story and also has macros in it
which get rid of any macro viruses. Just enable the macros when the
prompt comes up and it will scan for any viruses and clean them.

The virus also seems to inform its author about its activity. Upon connecting to the mIRC server, the virus adds a "SimpleSmn" nick to the notification list - the affected mIRC will be notified if such a nick appears in the IRC net. The infected mIRC client then detects when a person with a "SimpleSmn" nick appears in the IRC net. In this case, the virus informs this person with the message "I'm on irc.", so the virus informs its author about infected computers online.
Upon a "Notice" command from the "Simplicity" nick, the virus then opens the C: drive on the infected computer as a file server (with full access), so the virus has Backdoor ability.
Upon connecting to IRC server, the virus hides its script and restores it upon disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the C:WINDOWSSCRIPT1.INI file.
In case the affected client enters a channel that has "help" or "nohack" sub-strings in the channel name, the virus script immediately exits this channel.
The virus disables any messages from any user on a channel, if s/he sends a message that has any of the following strings:
script worm virus infect Jack Box macro Story.doc

If an infected client enters a custom IRC command "/BY" (added by script), the virus displays the text:
Mirc Worm Jack-In-The-Box
By SimpleSimon

If the texts are "Hi", "!", "Hey", or "Hello", the virus opens one of the anti-viruses and other Internet addresses that have a mail server with open public relay ability:
mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com,
drsolomon.com, www.bocklabs.wisc.edu, ebay.com

and looks for the SendMail system allowed on there. If it is available, the virus, using this e-mail server, sends spam messages with the following fields:
mail from: Addr1@Addr2.com
rcpt to: Addr3
to: Addr3
from: Addr1@Addr2.com
Subject: RndText
Message body: Jack-In-The-Box Has Popped Up Again!

where Addr1 and Addr2 are randomly generated text strings up to eight letters of size, RndText is randomly generated text up to 50 symbols of the length, and Addr3 is randomly selected from the list:
evrt@avp.com
samples@datafellows.com
virus_research@nai.com
tech_support@nai.com

Macro.Word97.SuperIIs

Description Macro.Word97.SuperIIs

This virus contains five macros in the module "Modul1": AutoOpen (in documents) or AutoClose (in NORMAL.DOT), ViewVbCode, ToolsMacro, Flitnic. The virus infects the global macros area on opening an infected document (AutoOpen), and copies itself to other documents on closing (AutoClose).
While infecting, the virus exports/imports its code via the FLITNIC.DRV file that is created in the Windows system directory. The virus detects already infected files by the text "'MYNAME=SUPERIISV1.0" that presents in virus code.
This is the stealth virus. On viewing macro code by using the ViewVbCode function, the virus copies the infected NORMAL.DOT to the Windows system directory with the LO.SYS name, creates and runs the DOS batch file LO.BAT that in loop monitors presence of temporary Word file, i.e., waits for the end of editing. This batch file then copies an infected LO.SYS file back to the NORMAL.DOT. As a result, the virus is able "to survive" foreever if its code is removed from the global macros area.
The virus contains the comments:
First ever used this kind of Stealth
Written by Flitnic. I haven't yet included a payload!

Home