Macro.Word97.ATU family
Description Macro.Word97.ATU family
The viruses of this family use an uncommon way of spreading. Instead of copying their macro program to the macro area in victim documents, they just write to documents a reference to a template (attached template) which contains virus macros. MS Word97 when opening a such document detects the reference to the attached template, opens it and executes its macros. The virus macro gets control and runs infected procedure. As a result the infected documents have no macro code, but on their opening the virus macro code is loaded by Word97 and executed.
In the known versions of this virus the reference to attached template points to a file on a remote Internet site (virus-writers Web site). As a result, MS Word97 on opening an affected document downloads and processes the template that is placed in the Internet zone. Because of that virus author(s) are able to "upgrade" virus code by replacing the template on their Web site.
This way of spreading allows the virus to bypass the anti-virus protection (VirusWarning) in old versions of MS Word97. These Word97 versions have a security breach: the anti-virus protection is not activated by Word97 to scan attached templates for macro code. This bug in MS Word97 was fixed in the beginning of 1999.
"ATU.b": this virus version does not copy entire code from the template to global macros area, but only the code necessary to infects documents.
The viruses contain the comments:
"ATU.a":
<!--1nternal-->
Active Template Update
"ATU.b":
<!--1nternal-->
Active Template Update v0.2 /1nternal
Check other viruses! Be aware! Use Antiviral Software
Faod.1433
Description Faod.1433
It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed. To detect its TSR copy ("Are you here?" call) the virus uses INT 21h call with AH=FAh, the memory resident code returns AH=0Dh - this is the reason to name this virus.
The virus has errors and may crash the system. On 23 and 24 of any month depending on the system time the virus displays the message in Russian (means "ASS"):
XXx XX xXX xXXXXXXXXXXx XXXXXXXXXXXx xXXXXXXXXXXX
xXXxXXxXXx XXx xXX XX XX XXx XX
XXXXXX XX XX XX XX XXXXXXXXXXXX
xXXxXXxXXx XXx xXX XX XX XXx xXX
XXx XX xXX xXXXXXXXXXXx XX XX XX XX
Farside family
Description Farside family
These are not dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of .COM (except COMMAND.COM) and to the middle of .EXE files that are executed or opened. In some cases the viruses display the messages:
"Farside.3008":
For cryin'out loud! My circuits are haunted by the ghost of a porcupine. . .
"Farside.3012":
This program has been infected with a nondestructive virus !
For an antivirus call (034).32.09.87 (with CHRIS)
The viruses also contain the text string "COMMAND.COMCOMEXE" and:
"Farside.3008": FARSIDE virus 1.00 (C) Windom Earle ROMANIA
|