Virus Database

Assassin_II.959

Description Assassin_II.959

It is a dangerous memory resident parasitic stealth virus. It intercepts two functions of INT 21h (CloseFile and ReadHandle) and writes itself at the beginning of COM- and EXE-files that are closed. The original beginning of the file is saved out of file body by the manner of the "Beast" virus. On reading from the file the virus substitutes the infected file with its original form.
The virus uses several complex tricks. On installation it does not hook INT 21h, but modifies the not documented DOS tables to pass the control to the virus body on file closing and on reading from the file. That can cause the system to crash. While infecting the file, the virus uses not documented System File Table and INT 2Fh calls.
The virus contains the internal text string:
This is [Assassin] written by Dark Slayer in Keelung. Taiwan <R.O.C>

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Psd

Description Macro.Word97.Psd

This is the first known macro virus infecting Office2000 Word documents. It was discovered in December 1998. The virus uses the same methods of infection as Word/Word97 viruses use. The only difference is that the virus is converted into new Word document format and use few Office2000 specific instructions.
The virus affects the global macro area when an infected document is opened. The virus spreads itself into other documents when they are closed.
The virus disabled Word anti-virus protection by two ways: by using Basic instruction and by writing to corresponding filed in the system registry.
This is the stealth virus. While infecting the system it creates a stealth-macro that disables virus code viewing and exits Word without saving all changes.
The virus also uses polymorphic routine that randomly renames virus variables and subroutines names.
The virus code is places in one module in the Document_Open macro in infected documents. When an infected document is opened, the auto-macro Document_Open is executed by Word, the virus code takes control and installs the virus into the system. During that the virus copies its code to the global macros area with the Document_Close name and create additional stealth-macro ViewVBCode.
The virus checks the system date and time and in case current day number is equal to current minutes, the virus runs its trigger routine: it displays several figures of random size and random color.
The virus code contains the comment:
W97M/PSD by ALT-F11, VAMP Poly by VicodinES
Converted to W2000/PSD by VicodinES

Macro.Word97.Redter

Description Macro.Word97.Redter

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen
AutoClose
FuckThemAll
ToolsMacro
ToolsCustomize
ViewVBCode
Delay
The virus replicates when a document is opened or closed.
AutoOpen, AutoClose:
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
Delay:
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000
Next
FuckThemAll:
Main virus routine. Checks system parameter 'Country' and if this is 'US' , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot) of the 'RedTerrorist' module. Repeated infection will not occur. If the module is not found, the virus creates an export file 'user.vxd' in %windir%\%temp% catalogue and infects the document. After that the virus removes the export file 'user.vxd'
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
ToolsMacro:
Top level process aborted, cannot continue
ToolsCustomize
Configuration too large for memory
ViewVBCode
Error in EXE file, program too big to fit in memory

Home