Virus Database

Macro.Word.Look

Description Macro.Word.Look

text (c) Michal A. Egler
This is a dangerous encrypted macro virus. It contains the macros: LOOK, AutoOpen, AutoClose. It searches for file "z-scan.doc" and deletes it. On every 1, 6, 15, 25 day of a month it deletes all files in "C:", "C:DOS" and root directories of the current disk. If the current hour is from 20 till 22, the virus displays a message box.

Check other viruses! Be aware! Use Antiviral Software

Mel.1536

Description Mel.1536

It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files of the current directory and writes itself to the end of the file. Depending on the system timer the virus displays the messages:
All in All, You are just another BRICK in the WALL (MEL)
Hey dla:AS,JS,ZN,AD,BC,PC&PW,MS,HL,JZ,GR,DB i M.P.(ZZZ,but right) !! SIE MA
!!
all All very clear in the theatre tonight ...
Wirus calkowicie nieszkodliwy, jak jestes enough dobry to napisz
szczepionke
MKSa to sobie daruj,bo tu jest do niczego. Pracuj dalej na luzie
!!!!!!!!!!!
MEL Power Virus SystemDunderfunkFortranKiller1.0

Melissa.bg (a.k.a. "Resume worm")

Description Melissa.bg (a.k.a. "Resume worm")

This is one more variant of the "Melissa" virus with a very dangerous payload routine and an unlimited (by number of recipients) mailing routine. The virus only sends infected messages by using MS Outlook and does not infect any other files on the computer, so it can be classified as an Internet Worm.
The virus arrives as an e-mail message with an attached Word document.
The message Subject looks like follows:
Resume - Janet Simons
The message Body is:
To: Director of Sales/Marketing,
Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Sincerely,
Janet Simons.
The attached document contains two macros that are activated upon document opening and closing (Document_Open, Document_Close). Upon opening an infected document, the virus connects to MS Outlook, gets access to the address book and sends infected messages to all addresses listed there. The virus creates a "personal" message to each address, so it sends as many messages as there are addresses in the Outlook address book.
Upon document closing, the virus saves its document with the EXPLORER.DOC name in the Windows startup folder:
C:WINDOWSStart MenuProgramsStartUpExplorer.doc
As a result, this virus copy will be activated upon each Windows start-up. The name of that file is "hardcoded" in the virus body, so this feature is successful only when Windows is installed in exactly that directory.
The virus also creates the C:DATA directory and stores its copy in there with the NORMAL.DOC name:
C:DataNormal.dot
The virus then runs its payload routine. It erases all files in root directories on all drives from C: to Z:, as well as in directories:
C:My Documents*.*
C:WINDOWS*.*
C:WINDOWSSYSTEM*.*
C:WINNT*.*
C:WINNTSYSTEM32*.*
The virus code also contains the text strings:

'----------------------------------------------------------'
' Better You Than Me Buddyall '
' ... Hope You Like My vIrUs '
' :) '
' :( '
'----------------------------------------------------------'

Home