Virus Database

Macro.Excel.Disaster

Description Macro.Excel.Disaster

This virus infects Excel sheets (XLS files). It contains five macros in one module "Disaster": Auto_Open, Infect, Unvisible, Butterfly, Auto_Close.
While loading an infected document Excel executes auto macros auto_open, and the virus takes control. The virus auto_open macro contains just one command, which defines the Unvisible macro as a handler of OnSheetActivate routine. As a result the virus hooks the sheet activate routine, and while opening a sheet the virus (the Unvisible macro) takes control.
When the Unvisible macro takes control, it executes the Infect macro which infects all active Workbooks. While closing an infected document Excel executes the Auto_Close macro. This macro erases all sheets except having the "Sheet" at the beginning of the name. This macro then saves infected sheet to the Excel Startup directory with the BOOK1.XLS name.
On Monday that falls on 1-5th day or month, or on Friday starting from 25th of month the virus on closing files executes the Butterfly macro that creates new sheet named "A" and deletes all other.

Check other viruses! Be aware! Use Antiviral Software

Linux.Vit.4096

Description Linux.Vit.4096

This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".
Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.
When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.
Clean file: Infected file:

+---------------+ +---------------+
| ELF Headers |--+ | ELF Headers |--+
| | | | | |
|---------------| | |---------------|<-+ virus entry
| Section 1 |<-+ entry +-| Virus | address
| | address | | - - - - - - - |
|---------------| +>| Section 1 |
| Section 2 | | |
|---------------| |---------------|
. . . | Section 2 |
|---------------| |---------------|
| Section n | . . .
+---------------+ |---------------|
| Section n |
+---------------+

The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).

Linux.Winter

Description Linux.Winter

This is a harmless non-memory resident parasitic Linux virus. It is extremely small in size for a Linux virus - just 341 bytes (in the known virus version).
When an infected file is run, the virus gains control, searches for ELF files (Linux executable files) in the current directory, then writes itself to the middle of the file to the non-used "Notes section" if there is one and it has enough size. While infecting, the virus overwrites "Notes" data in the section, but the program runs properly after that.
The virus contains the text string:
LoTek by Wintermute
The virus has a routine that sets a host name (computer name) to "Wintermute", but this routine never gains control.

Home