Virus Database

Lyceum Family

Description Lyceum Family

These are not dangerous memory resident parasitic viruses. They hook INT 8, 9, 21h and write themselves to the end of COM and EXE files ("Lyceum.1975" infects COM files only).
If the keys were not pressed during a long time, these viruses display a message in Russian. "Lyceum.1832" contains the text:
Welcome to Lycee of Information Technologies !

"Lyceum.1888,1950" display:
+------------------------------------------------------------------+
¦ You are welcome ! ¦
¦ Moscow Institute of Radioengineering, Electronics and Automation ¦
¦ Moscow ¦
¦ Vernadsky Avenue 78 ¦
¦ Phone of MIREA: 433-00-66 ¦
+------------------------------------------------------------------+

"Lyceum.703" depending on its internal counter creates the README.!!! file and writes to there a message in Russian.
"Lyceum.944" depending on the current date encrypts MBR of hard drive.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Hot

Description Macro.Word.Hot

This is encrypted virus. It contains the macros: AutoOpen, InsertPBreak, DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus renames the ToolsRepaginat macros to FileSave, and then infects the existing documents that are saved on disk (FileSave). While infecting the documents the virus renames FileSave macro back to ToolsRepaginat name.
While infecting the system the virus inserts the string "QLHot=nnnn" into the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the number of current day of this century plus 14, for example:
QLHot=35110

The next days the virus selects random value from 1 till 6, and adds to the "triggering day". If the result is equal to the current day, the virus deletes the file before saving it to disk.
14 days after last modifying of the "QLHot" string the virus renews it.
The virus does no action if there is the C:DOSEGA5.CPI file.
The virus does not work under Microsoft Word 7.0. While opening the infected document the system displays the message:
Unable to load specified library

Macro.Word.Hunter.a

Description Macro.Word.Hunter.a

These are encrypted German-specific macro viruses. They contain three macros: AutoOpen, DateiNeu, ExtrasMakro. The viruses do not use any copy-macros function to spread themselves. To infect the system they save an infected document to the Winword startup directory with the name:
"Hunter.a": WINWORD.DOT
"Hunter.a,b": AutoStrt

The viruses then register that file as "Add-In" template.
The viruses infect the documents on DateiNeu (FileNew) call. They create new document, insert the infected Add-In and clean its contents. As a result on creating new file the virus loads already infected clean file (template).
The ExtrasMakro (ToolsMacro) macro is used to hide virus macros in infected system.
"Hunter.a,b" depending on the system timer display the MessageBox:
<HeadHunter V3.0>
One - You lock the target
Two - You bait the line
Three - You slowly spread the net
And four - You catch the man

"Hunter.c" depending on the system timer inserts into its macros random selected strings.
The virus contains the commented texts, the second line contains different version numbers and dates in viruses:
********************************************************************
*** <HEADHUNTER V3.0> by Neurobasher, 17.10.1995, Germany ***
*** Boring experimental Winword virus with minor retro & stealth ***
********************************************************************
*** "I'm looking for a man who knows the rules of the game" ***
*** "Who's able to forget them to realize my aim" ***
********************************************************************

Home