Virus Database

Macro.Word.Nuclear.a

Description Macro.Word.Nuclear.a

It is a encrypted virus, it contains the macros:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area, and overwrite the macros if they are already present there. Then the virus infects the documents by FileSaveAs macro.
The virus manifests itself in three ways: 1) runs COM/EXE/NewEXE virus, 2) appends the text strings while printing the documents, 3) corrupts the system files. Note: the virus has a lot of bugs, and I am not sure that the virus is able to run 1) and 3) under standard environment.
1) The AutoExec macro calls DropSuriv macro which check the system time and drops the COM/EXE/NewEXE virus ("Ph33r") if the time is between 17:00 / 18:00. While dropping the virus uses the DEBUG utility.
First, the virus checks the C:DOSDEBUG.EXE. If this file is found, the virus creates temporary file PH33R.SCR in C:DOS directory, and writes hex dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus creates the temporary file EXEC_PH.BAT with the strings inside:
@echo off
debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates a copy of a COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 21h and writes itself to the end of COM/EXE/NewEXE files on opening, execution, renaming and changing their attributes.
The execution of BAT file is done in the background, so the user does not know that there are two(!) viruses on his PC.
Then the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.
Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE virus, but it is quite easy to fix that bug in next virus version.
2) While printing documents the virus appends the text approximately to each 12th file (if the seconds are 55 or more):
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so the uses does not see them (often documents occupy more that one screen). This is very curios effect, especially while sending documents via fax.
3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.
Macro.Word.Nuclear.b
It's a variant of previous one. Does not contain COM/EXE/NewEXE virus and macros DropSuriv, FileExit.
There's a bug while appending the text to the end of the document while printing. As the result the virus appends a blank page, and Word displays a message about a WordBasic error.
Macro.Word.Nuclear.c
Another variant of "Nuclear". It contains five macros: Payload, AutoExec, AutoOpen, FileSaveAs, InsertPayload.
The Payload contains the commented instructions that erase all files on C: drive. It seems that the virus author left them commented because he was afraid about this damage on his own computer - this macro takes control as soon as Word starts (the AutoExec macro).

Check other viruses! Be aware! Use Antiviral Software

Azatoth.997

Description Azatoth.997

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or opened. The virus uses anti-debug tricks, deletes the file ANTI-VIR.DAT and disables resident driver TBDRVXXX. The virus contains the text strings:
mandragore/DDT
[azatoth]
windblows must die! enjoy linux!

Aztech.1200

Description Aztech.1200

It's a dangerous memory resident parasitic virus. It hooks INT 21h, 2Fh and writes itself at the end of EXE-files that are executed. On infection it renames the file to AZTECH.INC, infects it and then renames it back to original name. Depending of the system time it erases disk files. It contains the internal text string:
FUCKING CRACKER - DIE !!! (P) 1992 BY AZTECH.INC

Home