Virus Database

Macro.Word.Agent

Description Macro.Word.Agent

This is a polymorphic and stealth Word macro virus. It contains one macro "AutoOpen" and replicates on opening documents . The virus deletes the following menu items:
Tools/Macro, Tools/Customize, File/Templates, Format/Style.

The mutation (polymorphic) engine, depending on the random counter, inserts random comments into random positions into the virus code and renames some virus variables with random selected name. This engine is "slow" because it is executed only if, on infection, the current seconds are 23 or 45 only. As a result, in 97% of cases the polymorphic engine will not be executed and the "child" infector will have the same code as "parent" one.
Depending on the random counter the virus sends a copy of current document to Internet news-groups, so to spread itself the virus uses global networks. It also can be a reason of confident information disclosing, if it is a part of document that is sent to Internet.
To post documents to Internet the virus executed the news client AGENT.EXE, selects one of the news-groups (see the list below) and sends a message to there. The message has one of several possible Subjects (see the list below), the text "WM/Agent by Lord Natas" continued with random selected characters and attached infected document.
The list of news-groups looks like follows:
alt.aol-sucks alt.sex.zoophilia
alt.binaries.cracks alt.windows95
alt.binaries.pictures.erotica alt.sex.passwords
alt.binaries.warez.ibm-pc alt.binaries.warez
alt.conspiracy alt.binaries.sounds.mp3
alt.drugs.pot alt.comp.virus
alt.fan.hanson alt.2600
alt.flame alt.2600.hackerz
alt.hacker alt.skinheads
alt.sex alt.sex.babies
alt.sex.necrophilia alt.sex.bondage
alt.sex.stories

Subjects are:
Free XXX Passwords New Virus Alert!
Check this out! Serial Number List!
Official WaReZ site list Official mp3 site list
Easy Money! Elite XXX site list
My first fuck by Todd New erotic story
Hanson rulez! Important Princess Diana Info
Warez mailing list details Important Monica Lewinsky Info
Crackz mailing list details How to find child pornography
Learn to hack! Cable TV descrambler instructions!
Attn: All k3wl h4ck3rz Kewl N64 Emulator & MP3 sites
Important Info

Check other viruses! Be aware! Use Antiviral Software

Rager.1383

Description Rager.1383

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of EXE files that are executed. On executing the LOGIN utility the virus depending on the system timer decrypts and displays the message, and then reboots the computer:
********** Warning ! **********
Novell NetWare report : Hardware A30 error detected.
Registers :
AX :2134 BX :3C23 CX :1841 DX :5421
CS :2451 DS :2023 ES :538A SS :6C8B
SI :46AE DI :94B4 SP :4541 BP :491C
Try restart file-server,if it will not give effect,
switch off your network and call trained service-people.
Press any key to restart this computer.

The virus also contains the text:
NetWare virus from Avenge (tm) family .
(C)Rager , Simferopol State University

Raiden.1433

Description Raiden.1433

It is not a dangerous memory resident multipartite virus. When an infected file is executed, the virus infects the MBR of the hard drive. While loading from infected MBR the virus hooks INT 13h, 1Ch, 4Fh, waits for DOS loading process and hooks INT 21h. By hooking INT 21h the virus intercepts EXE files execution and opening, and writes itself to the end of the file. By hooking INT 13h the virus intercepts accessing to infected MBR and calls stealth routine.
In some cases (depending on the command line) the virus disinfects the host file. On INT 4Fh AX=666h calls the virus displays the message:
+---------------------------------------+
¦ MBR VIRUS V.01 NECROSOFT CORPORATION ¦
¦ WRITEN BY RAIDEN COPYRIGHT (C) 1996 ¦
+---------------------------------------+

Home