Macro.Word.Hot
Description Macro.Word.Hot
This is encrypted virus. It contains the macros: AutoOpen, InsertPBreak, DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus renames the ToolsRepaginat macros to FileSave, and then infects the existing documents that are saved on disk (FileSave). While infecting the documents the virus renames FileSave macro back to ToolsRepaginat name.
While infecting the system the virus inserts the string "QLHot=nnnn" into the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the number of current day of this century plus 14, for example:
QLHot=35110
The next days the virus selects random value from 1 till 6, and adds to the "triggering day". If the result is equal to the current day, the virus deletes the file before saving it to disk.
14 days after last modifying of the "QLHot" string the virus renews it.
The virus does no action if there is the C:DOSEGA5.CPI file.
The virus does not work under Microsoft Word 7.0. While opening the infected document the system displays the message:
Unable to load specified library
Check other viruses! Be aware! Use Antiviral Software
School.403
Description School.403
It is a harmless nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains the text string:
File is overwrited by SCHOOL SUCK! virus. Finnish quality!
Schubert.323
Description Schubert.323
It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. Depending on the system time while writing to a file the virus writes to that file the string:
SCHUBERT 1797-1828.
|