Virus Database

Macro.Word.Randomic

Description Macro.Word.Randomic

This Word macro virus contains only one macro with random selected name: <random letter><random number>. It infects the documents and NORMAL.DOT on keystroke that is assigned to this macros, this key is also pointed by document's variable "TKey".
The virus removes the Tools menu. On April 4th it displays the dialog and reboots the computer:
>> RANDOMIC << STRANGE LUCK >> RANDOMIC <<
______________________________________________
Your system is infected
with the RANDOMIC macro virus.
Immediately stop your work, or you will regret it.
______________________________________________
That's maybe your last chance!!!
______________________________________________
Nightmare Joker [SLAM]
1997

Check other viruses! Be aware! Use Antiviral Software

Ks

Description Ks

This is a relatively harmless memory resident boot virus. It hooks INT 13h and writes itself to the BOOT sectors of floppy disks and to the MBR sector of the hard drive. Upon loading from a floppy, the virus infects the MBR sector. It doesn't store in the original BOOT sectors while infecting, but overwrites them. Starting from July 24, the virus displays a text message upon PC booting. The virus contains the following text strings:
sk

Ksenia.3599

Description Ksenia.3599

This is a dangerous memory resident polymorphic and stealth parasitic virus. It hooks INT 9 and 21h, and writes itself to the end of COM, EXE and SYS files that are accessed. Depending on the system conditions, the virus either hooks INT 21h by a standard method, or traces it and patches it with INT xxh code, where "xx" is randomly selected from the list of unused interrupts.
To detect an already infected file, the virus uses a file date stamp: the current year plus 100. Upon reading infected files and file searching functions, the virus runs its stealth routines; and upon writing to infected files, the virus disinfects them. The virus checks the names of victim files according to the list:
PKZIP,RAR,ARJ,LHA,ARC,DEFRAG,SPEEDISK,CHKDSK,BACKUP,MSBACKUP,SCANDISK,NDD

In case any of these files has been executed, the virus disables its stealth functions. In case the WIN.COM is executed, the virus adds the "/d:c" parameter to the command line. The virus does not infect files if their names begin with the strings:
FI,SC,VS,TB,DR,AV,F-,FP,AD,CO

On Mondays, if a file is executed at 5 minutes past any hour, the virus calls the Novell NetWare function SEND BROADCAST MESSAGE, and sends the message to the Net:
External System Error #05. Connection refused.

On Monday at 17:xx, the virus calls the SYSTEM LOGOUT Novell function.
The INT 9 (keyboard) virus hooker checks keyboard scancodes. If the 'KSENIA' text is entered, the virus displays the text, and halts the computer:
123 4 5 Deadman

On May 5th, when a current disk number is changed, the virus erases data on the current disk.
In additio to the strings listed above, The virus contains the texts:
[KSENIA]
Version 0.99 alpha
Copyright (C) 01/02/99 10:29:34 by Deadman
The Global Project devoted to Ksenia Chizhova

Home