Virus Database

Macro.Word.Anak

Description Macro.Word.Anak

This is an encrypted macro virus. It contains four original macros that are copied to five ones while infecting documents and NORMAL.DOT:
Documents NORMAL.DOT
Macro1 anakAE AutoExec
Macro2 AutoOpen anakAO
anakAO
Macro3 anakSA FileSave
anakSA
Macro4 anakSMU anakSMU

The virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to document on saving them (FileSave).
The virus defines new short cut key "Shift-Ctrl-F" and associates it with Tools/Customize menu. To hide its macros (stealth feature) the virus removes the File/Templates, Tools/Macros and Tools/Customize menus.
Starting from 25th of any month, starting from 14:00 the virus creates new template, inserts the text into there:
alli n t r o d u c i n g...
anakSMU
Semarang, March 1997

The virus then registers itself in the system. To do that it creates the ANAKSMU.BAT file, writes the commands to there and executes it:
@ECHO OFF
REM ---------------------------------------------------------
REM anakSMU wont destroy your REGEDIT, Just wanna be there :)
REM email: anakSMU@TheOffice.net"
REM ---------------------------------------------------------
ECHO REGEDIT4 > anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMU] >> anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMUanakSMU@TheOffice.net] >> anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMU18.090 - Semarang] >> anakSMU.REG
START /MIN REGEDIT anakSMU.REG
EXIT

The virus then displays the MessageBox:
anakSMU
Yeah!, I wish I were anakSMU

Check other viruses! Be aware! Use Antiviral Software

GW.1201

Description GW.1201

It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. The virus checks file names and does not infect anti-virus programs and files with the names: AIDSTEST, DRWEB, COMMAND, IBM*, AVP.
While infecting the virus uses undocumented System File Tables. The virus also uses other tricks to hide itself in the memory and access system resources: it traces INT 13h to get original INT 13h handler and patches DOS kernel to intercept file accessing calls.
The virus is encrypted in files as well as in the system memory. When needed the virus decrypts routines, executes them and then encrypts.
The virus does not manifest itself in any way. At the beginning of its code it contains a set of instructions that looks like text string:
_GW

Gwar

Description Gwar

It is a very dangerous memory resident encrypted and stealth boot virus. It hooks INT 13h and writes itself to the boot sector of diskettes and MBR sector of hard drive that are accessed. The virus copies its TSR copy to the interrupt table. From January 1st till 7th the virus displays a message and erases sectors on the hard drive, the message looks like follows:
Gwar virus by T-2000

Home