Virus Database

Lemming.2029

Description Lemming.2029

These are not dangerous memory resident parasitic encrypted stealth viruses. They trace and hook INT 21h and write themselves to the end of COM and EXE files that are executed or closed. When an infected file is opened, these viruses disinfect it. These viruses check the file name and do not infect several anti-virus programs according to the string:
TBAVTBSCANNAVVSAFEFPROT

They search for ThunderByte anti-virus in memory and hack it. While executing some anti-virus programs these viruses hook INT 1Ch and check the flow of these programs.
They also contain the text strings:
TBDRV
You Will Never Trust Anti-Virus Software Again!!
COMcomEXEexe
Packed file is corrupt

and:
"Lemming.2144": ThunderByte-1994-Australia. ver 1.0
[HiTMaN]
"Lemming.2151,2160":
The Rise and Fall of ThunderByte-1994-Australia.
[LEMMING] ver .99ß

"Lemming.2247" contains the strings:
Choise virus ver 1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!
(c) Copyright 1996 by Gurre in Moscowall
DRWEBAVPAIDSTESTVSAFEFPROT
COMcomEXEexe

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.SuperIIs

Description Macro.Word97.SuperIIs

This virus contains five macros in the module "Modul1": AutoOpen (in documents) or AutoClose (in NORMAL.DOT), ViewVbCode, ToolsMacro, Flitnic. The virus infects the global macros area on opening an infected document (AutoOpen), and copies itself to other documents on closing (AutoClose).
While infecting, the virus exports/imports its code via the FLITNIC.DRV file that is created in the Windows system directory. The virus detects already infected files by the text "'MYNAME=SUPERIISV1.0" that presents in virus code.
This is the stealth virus. On viewing macro code by using the ViewVbCode function, the virus copies the infected NORMAL.DOT to the Windows system directory with the LO.SYS name, creates and runs the DOS batch file LO.BAT that in loop monitors presence of temporary Word file, i.e., waits for the end of editing. This batch file then copies an infected LO.SYS file back to the NORMAL.DOT. As a result, the virus is able "to survive" foreever if its code is removed from the global macros area.
The virus contains the comments:
First ever used this kind of Stealth
Written by Flitnic. I haven't yet included a payload!

Macro.Word97.Swatch.b

Description Macro.Word97.Swatch.b

Swatch.b is a Word97 macro virus. It contains three macros: AutoOpen,RepToDocs, RepToNormal.
There is also a macro FileSave present, but not with the given version. When an infected file is opened, the virus creates a temporary archive named
Tmp.bas

in the C: drive root directory where its code is written. After this it imports a temporary file into normal.dot, thus allowing other MS Word files to become infected. Oncethe current document is infected the virus proceeds to delete the Tmp.bas file from the disk.
In general this virus does not contain any destructive functions.

Home