Virus Database

Macro.Excel.Lord

Description Macro.Excel.Lord

This virus infects Excel sheets (XLS files). It contains six macros: Auto_Open, cek_global, infectglobal, inFuckIt, Fuck, Auto_Close.
While loading an infected sheet, Excel executes the auto macros auto_open, and the virus takes control. The virus auto_open macro contains a command, which defines the Fuck macro as a handler of OnSheetActivate routine. As a result the virus hooks the sheet activate routine, and while opening a sheet the virus takes control.
When the auto_open macro takes control it searches for LORD.XLM files in the Excel Startup directory. If the infected macro is an active Workbook and the LORD.XLM file does not exist in the Excel Startup directory when the virus is executed for the first time, the virus creates this file and saves its code to it by using the SaveAs command. When Excel loads its modules the next time it automatically loads all XLS files from the Startup directory. The infected LORD.XLM is loaded as well as other files, and the virus takes control and hooks the sheet activation routine.
The virus contains the comments:
------------------------------------------------
Generated with NEG !!. Please include this text
------------------------------------------------
NEG is Trademark of NoMercy
http://www.focus-asia.com/home/NoMercyVirusTeam/Neg.html
VirusName: Lord
Author: Foxz with NEG
Module Name: Lord
Template: LORD.XLM

Check other viruses! Be aware! Use Antiviral Software

Neko.2697

Description Neko.2697

This is a memory resident parasitic polymorphic virus. It traces INT 13h and 21h, hooks INT 21h and writes itself to the end of EXE files that are executed. On Tuesdays it displays the following:
Dear Mrs.Grandy:
Aloha!
It is me,Neko again! This is the lastest version 2.0
Undoubtedly,I am not what I was.
Let me tell you something about my improvement.
I work with the Antilogic Engine I.
It is a new invention.So,
Showtime! Neko version 2.0
Made by Metal Satan

Nephew.2906

Description Nephew.2906

These are dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed. The viruses delete the anti-virus data files: CHKLIST.MS, CHKLIST.CPS, ANTI-VIR.DAT, CHKLST.TAV, SMARTCHK.TAV. The viruses do not infect the files: HIEW, SAFE, SOS e.t.c. according to strings (four letters per name):
HIEWSAFESOS./WD.WARNCPAV
ADINANTIAIDSVIRUVIR.SCANRWEBLD.EGUARCLEA

The viruses also attempt to overwrite files from the second string (ANTI, AIDS, VIRU, VIR., SCAN, e.t.c.), but fail to do that because of a bug. They attempts to overwrite these files with a program that displays the message:
+--------------------------------------------------------------------+
| U N R E G I S T E R E D P R O G R A M ! |
+--------------------------------------------------------------------+
This version is NOT freeware, you MUST register it!
Call (+7-095)135-6253, 137-0150

The viruses scan DOS kernel, look for the DSKREET driver and patch its code with a call to virus routine. In this patch the virus sets some flags and depending on them writes some data to last disk directory sectors. It writes by using old style calls only and is able to do that only with disks with 32M or less disk space. The virus also uses
The virus also contains the text string:
(=) Big Nephew (=)

Home