Virus Database

Macro.Word.Cleanup

Description Macro.Word.Cleanup

This is a Portuguese encrypted macro virus. It contains only one macro AutoOpen and replicates itself on opening documents.
In January in 2000 the virus erases all files on the C: drive, but cancels erasing if any of files presents on disk:
C:DOSMASTERPC.TXT
C:WINDOWSMASTERPC.TXT
C:WINDOWSSYSTEMMASTERPC.TXT

While deleting the virus displays the messages:
SEARCHING TEMPORARY FILE TYPE all
PROBABLE TEMPORARY FILE FOUND
Delete this file
DELETING FILE...
Files Deleted. Keep your Hard Drive cleaned !

Check other viruses! Be aware! Use Antiviral Software

Ply.4224

Description Ply.4224

This is a dangerous, non memory-resident parasitic virus. It searches for all EXE files in the current directory, then writes itself to the end of the file.
The virus is not encrypted, but it appears as polymorphic virus. Its codes in different infected files have very few constant bytes, and as a result, there is no constant scan-string to detect this virus. To do this, the virus uses a rather complex engine that "mixes" the code in the virus body.
The virus contains three blocks: the main code, data, and redirected calls.
+----------+
ƒMain Code ƒ
ƒ ƒ
ƒ----------ƒ
ƒData ƒ
ƒ----------ƒ
ƒRedirectedƒ
ƒCalls ƒ
ƒ ƒ
+----------+

All assembler instructions in the main code are not more than 3 bytes in length, and all instructions occupy three bytes in the virus code. If the length of instruction is less than 3 bytes, free bytes contain NOP instructions. As a result, all instructions in the viruses occupy 3-bytes blocks.
While infecting a file, the virus "move" the instructions to the 3-bytes block, if there is a NOP command, then:
8C C8 MOV AX,CS <--> 90 NOP
90 NOP 8C C8 MOV AX,CS

There are also data that contain 6-byte blocks to copy the instructions to redirected calls and replace them with CALL or JMP commands:
Replaced with CALL Replaced with JMP Original code
------------------ ----------------- -------------
E8 xx xx CALL -+ <--> E9 xx xx JMP -+ <--> 90 NOP
all <-ƒ---+ ... <-ƒ---+ 8C C8 MOV AX,CS
... ƒ ƒ ... ƒ ƒ
... V ƒ ... V ƒ
8C C8 MOV AX,CS ƒ 8C C8 MOV AX,CS ƒ <marked as free
90 NOP ƒ 90 NOP ƒ block<
C3 RET ---+ E9 xx xx JMP back -+

Therefore, any instruction can be shifted in the 3-byte blocks, it can be copied to a randomly selected address in the virus, and then replaced with a CALL or JMP command, and existing CALLs and JMPs redirectors can be replaced with the original code. No byte is encrypted, and there are very few constant bytes to detect the virus.
Such a complex engine is not bugs-free, and the virus often corrupts files while infecting them.
The virus checks the names of the files before infecting them, and do not infect the following files:
AVP AVPLITE AVPVE EMM386 F-PROT FV386 FV86 MSAV MVTOOL10 SCAN TBSCAN TBAV
TBCHECK TBCLEAN TBDISK TBDRIVER TBFILE TBGENSIG TBKEY TBLOG TBMEM TBSETUP
TBSCANX TBUTIL VALIDATE VIRSTOP VPIC VSAFE.

Ply.5133

Description Ply.5133

This is a dangerous, non memory-resident parasitic virus. It searches for all EXE files in the current directory, then writes itself to the end of the file.
The virus is not encrypted, but it appears as polymorphic virus. Its codes in different infected files have very few constant bytes, and as a result, there is no constant scan-string to detect this virus. To do this, the virus uses a rather complex engine that "mixes" the code in the virus body.
The virus contains three blocks: the main code, data, and redirected calls.
+----------+
ƒMain Code ƒ
ƒ ƒ
ƒ----------ƒ
ƒData ƒ
ƒ----------ƒ
ƒRedirectedƒ
ƒCalls ƒ
ƒ ƒ
+----------+

All assembler instructions in the main code are not more than 3 bytes in length, and all instructions occupy three bytes in the virus code. If the length of instruction is less than 3 bytes, free bytes contain NOP instructions. As a result, all instructions in the viruses occupy 3-bytes blocks.
While infecting a file, the virus "move" the instructions to the 3-bytes block, if there is a NOP command, then:
8C C8 MOV AX,CS <--> 90 NOP
90 NOP 8C C8 MOV AX,CS

There are also data that contain 6-byte blocks to copy the instructions to redirected calls and replace them with CALL or JMP commands:
Replaced with CALL Replaced with JMP Original code
------------------ ----------------- -------------
E8 xx xx CALL -+ <--> E9 xx xx JMP -+ <--> 90 NOP
all <-ƒ---+ ... <-ƒ---+ 8C C8 MOV AX,CS
... ƒ ƒ ... ƒ ƒ
... V ƒ ... V ƒ
8C C8 MOV AX,CS ƒ 8C C8 MOV AX,CS ƒ <marked as free
90 NOP ƒ 90 NOP ƒ block<
C3 RET ---+ E9 xx xx JMP back -+

Therefore, any instruction can be shifted in the 3-byte blocks, it can be copied to a randomly selected address in the virus, and then replaced with a CALL or JMP command, and existing CALLs and JMPs redirectors can be replaced with the original code. No byte is encrypted, and there are very few constant bytes to detect the virus.
Such a complex engine is not bugs-free, and the virus often corrupts files while infecting them.
The virus checks the names of the files before infecting them, and do not infect the following files:
AVP AVPLITE AVPVE EICAR EMM386 F-PROT FV386 FV86 MSAV MVTOOL10 SCAN TBSCAN
TBAV TBCHECK TBCLEAN TBDISK TBDRIVER TBFILE TBGENSIG TBKEY TBLOG TBMEM
TBSETUP TBSCANX TBUTIL VALIDATE VIRSTOP VPIC VSAFE.

The virus deletes the NCDTREE file, if it exists.

Home