Virus Database

Macro.Excel97.Sugar.a

Description Macro.Excel97.Sugar.a

These are stealth Excel97 macro-viruses. They hook windows/sheets activation and deactivations events and infect corresponding files. While infecting, the viruses save their code as "class" macros (see also "Macro.Word97.Class").
Sugar.a
It creates the infected BOOK1 file in the Excel start-up directory. It disables the Macro Virus Protection by direct access to the system registry.
Depending on the current minute, day and month, the virus inserts into the current sheet up to 200 cells with a text inside "-(Dr. Diet Mountain Dew)-", changes their size and color, and then inserts the message "The -[Sugar.Poppy]- by VicodinES" to the very first cell of the sheet.
The virus also contains the following comments:
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
'The Sugar.Poppy Excel Class Object Virus'
' written by VicodinES '
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
' Can I have a bottle of '
' WARM DIET MOUNTAIN DEW '
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

Sugar.b
This virus is very similar to the previous version. It also disables the Macro Virus Protection in the system registry, but does it with the help of MS Word: the virus transfers, to Word's global macros area, the AutoExec macro that by VisualBasic instructions disables VirusWarning when Word is executed.
This virus contains the following comments:
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
'Sugar.Poppy.II Excel Class Object Virus'
' written by VicodinES '
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
' Can I have a bottle of '
' WARM DIET MOUNTAIN DEW '
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
' Now it infects '
' ANY AND ALL CLASS OBJECTS '
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
' Module Parasitic Code Added '
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

Check other viruses! Be aware! Use Antiviral Software

Ida.1490

Description Ida.1490

It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM files that are accessed. The virus polymorphic engine is quite sophisticated: the virus decryption loop does not contain decryption key "in clear" - it tries to decrypt the virus code with different keys, calculates CRC of decrypted data and passes control to the virus code if CRC is ok. This engine has a bug and in some cases the virus cannot decrypt itself and the system halts.
The virus looks for the text "VERA" on the screen and appends "I Veronika !". The virus also contains the text:
[IDA] v0.01 Serg_Enigma

IDEA.6126

Description IDEA.6126

It is not a dangerous memory resident polymorphic parasitic virus. The virus code is encrypted three times - first loop is polymorphic, other loops are not polymorphic, but they use IDEA encryption algorithm. As a result virus decryption is a quite complex task, and when an infected file is executed even Pentium computers "sleep" for a second or two while the virus decrypts itself.
The virus then hooks INT 21h and stays memory resident. When COM and EXE files are executed, the virus writes itself to the end of the file. The virus does not infect COMMAND.COM and several anti-virus programs (TBAV, AVP, NAV, FINDVIRU, F-PROT, all) according to the string (two letters per name):
TBVIAVNAVSFIF-FVIVDRSCGUCO

After infecting the virus opens the ANTI-VIR.DAT file (if exists) and patches just infected file name in there - replaces the first character in file name with 01h (Smile ASCII).
When ZIP files are accessed by FindFirst/Next DOS commands, the virus adds an infected README.COM file to the ZIP archive. While infecting the virus drops a file on disk, infects it, appends infected file to the archive and then modifies archive structure. As a host file the virus uses one of three simple video-effect programs that keeps in its code. When executed these programs manifest themselves by a video effect and display the messages:
Downloaded From
http://www.narkotic.com/~vico
Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45)
* ROADKILL BBS *
Call now 028-6621590

While infecting ZIP archives the virus creates three temporary files: DIR.SKA, END.SKA, ADD.SKA.
At 15:30 the virus creates the C:VIRUS.COM file, writes the standard EICAR anti-virus test file to there, manifests itself by a video effect and displays the rotated message:
Warning!
strong
crypto
inside

The virus also contains the text strings:
IDEA virus (c) Spanska 98
Thx to Rajaat (poly),
F Mirza (IDEA),
Wild Worker (zip),
Solar D (road)

Home