Virus Database

Macro.Word.Screw

Description Macro.Word.Screw

This macro virus contains 11 macros:
Documents NORMAL.DOT
ABC ABC
AO AO
AutoOpen
FileOpen
FileTemplates
FP FP, FilePrint
FSA FSA, FileSave, FileSaveAs
HLP HELP, HLP
SCR SCR
TMC ToolsMacro, ToolsCustomize, FileTemplates, TMC
ToolsMacro

It infects the global macros area on opening an infected document, but has an error - it copies nonexistent macros AE instead of AO. As a result this virus is able to replicate only once - there will be no AutoOpen macro in second generation.
On printing depending on the current time the virus pastes at the end of the document the text "SCREW VIRUS IS HERE" and replaces all sequences:
' a ' -> ' e '
' I ' -> ' Me '
'. ' -> ' !!! '

and restores them after printing.
The virus installs new ScreenSaver (Marquee), this saver will display the message:
You Are Infected With The Screw Virus!!!

Check other viruses! Be aware! Use Antiviral Software

Cascade.691

Description Cascade.691

This is a memory resident virus. Its body except for the beginning (first 32 bytes) is encoded. As a key the length of the infected file is used. That is why two strains of the same virus in most cases will coincide only in the first 32 bytes.
As an infected program is executed, the control of the JMP command is transferred to the beginning of the virus. By first commands the virus determines the length of the source file and deciphers its body.
On creating its memory-resident copy the virus:
copies its body into the highest addresses of the memory;
moves the body of the main program into the highest addresses of the memory;
moves the virus body into cleared area above the main program body;
sets INT 1Ch, 21h, 28h to its own copy.
ƒ all ƒ ƒ ... ƒ ƒ ... ƒ ƒ ... ƒ
+---------ƒ +---------ƒ +---------ƒ +---------ƒ
ƒProgram ƒ ƒProgram ƒ--+ ƒFree ƒ +-->ƒVirus ƒ
ƒ ƒ ƒ ƒ ƒ ƒmemory ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ +---------ƒ ƒ +---------ƒ
+---------ƒ +---------ƒ +-->ƒProgram ƒ ƒ ƒProgram ƒ
ƒVirus ƒ--+ ƒVirus ƒ ƒ ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---------ƒ ƒ +---------ƒ +---------ƒ ƒ +---------ƒ
ƒ ... ƒ +-->ƒVirus ƒ ƒVirus ƒ--+ ƒ ... ƒ
ƒ(copy) ƒ ƒ ƒ
+---------ƒ +---------ƒ
ƒ ... ƒ ƒ ... ƒ

The virus affects only COM files as it's loaded into the memory for execution. Infection is carried out by standard method. Most widely spread versions of this virus does not reinfect files.
The virus changes interrupt vectors 1Ch, 21h and 28h. It also produces a specific video-effect: crumbling down of letters on the screen; does not have destructive functions.

Casino.2330

Description Casino.2330

Casino.2330 is a memory resident very dangerous virus which starts, finds and infects .COM-files of current directory, creates file COMMAND.COM (pseudo-COMMAND.COM) and writes its body into. After this, the virus starts this file, the virus from the pseudo-COMMAND.COM stays memory resident and removes this file from disk. Then the virus infects the .COM-files from memory-resident part.
The virus detects write protected disk by the read/write operation through INT 13h with this disk. The infector that removes the READ-ONLY attribute , contains the texts: "*.COM", "C:COMMAND.COM", "COMMAND", ".COM", hooks INT 21h.
On January, April, August, 15th the virus reads into computer' memory FAT of current drive, erases this FAT from disk and presents to play in game: if virus loses it restores the FAT contents on disk, if not - the FAT is not restored. While playing this game the virus displays:

and:
BASTARD ! You`re lucky this time - but for your own sake, now
SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!
or:
No Fuckin` Chance; and I`m punishing you for trying to trace me down !
or:
HA HA !! You asshole, you`ve lost: say Bye to your Balls all

Home