Virus Database

Macro.Word97.Beast

Description Macro.Word97.Beast

This virus has two components: Word macro and Windows32 EXE file. The virus macro has very short size and is placed in the infected documents as ordinary macro program, it has "auto-name" AutoOpen. The EXE component is stored in documents as an embedded object. When an infected document is opened, the AutoOpen macro takes control, gets EXE component, saves it on disk and executed. The EXE component then gets access to Word application and infects other documents. The infection and other important routines are placed in the EXE file, not in AutoOpen macro, so the virus spreads using documents as "carrier".
When the virus macro gets control (when an infected document is opened), it checks the system registry for its ID stamp. This ID contains the system time and is updated by virus each time its memory resident EXE copy gets control. If this ID was not updated for some period of time (i.e. there is no virus copy in the Windows memory), the virus drops its EXE component to the disk file I.EXE and executes it.
The I.EXE file is the main virus module. It registers itself in the system, stays in the Windows memory and runs the infection routine. To register its copy in the system the virus looks in the Windows system directory for .DLL file that has no .EXE companion, and copies its EXE file to there with this file name and .EXE extension. The virus then registers this EXE in the system registry to run this file on each Windows restart.
The virus then stays in the Windows memory as hidden application and hooks timer events - every second the virus application gets control. Each time the virus "memory resident" copy gets control, it looks for MS Word application and if it is active, the virus runs its infection routine. The virus performs followed actions:
1. counts characters in an active document. If there are no changes during 30 seconds, the virus runs infection procedure.
2. closes Visual Basic Editor window, if it is opened.
3. in period from 09:36pm till 07:12am the virus opens and closes CD-ROM's door.
The infection procedure gets access to MS Word functions by using OLE automation. It checks every opened document in MS Word, and if it does not contain embedded OLE objects and it have at least one program module the virus infects this document. It embeds it own executable file into document and also creates the "AutoOpen" macro in document's program module.
The virus contains the encrypted text "3BEPb" ("Beast" in several Slavonic languages). This text is used by virus as the header of its EXE application's window.

Check other viruses! Be aware! Use Antiviral Software

Macro.PPoint.Kelly

Description Macro.PPoint.Kelly

This macro virus infects the MS PowerPoint presentations. The virus contains one macro "Jd" in the "Kelly" module. The virus code is activated on the MouseOver events on the infected form, it then runs its main routine and infects all form in opened presentations. While infecting the virus copies its code to the victim form and sets handler for MouseOver event to its own procedure. As a result the virus code runs automatically when mouse moves over infected form.
This virus does not have payload procedure. The code of virus contains the comment:
Copyright (C) 1998 by FlyShadow ~^^~ - Kelly

Macro.PPoint.ShapeMaster

Description Macro.PPoint.ShapeMaster

This macro virus infects the MS PowerPoint presentations. The virus contains one macro "actionhook" in the "ShapeMaster" module. The virus is activated on the MouseClick on the infected form, it then runs its installation routine and infects the PowerPoint installed on the computer. The virus then infects other presentations only when they are created.
While affecting the system the virus copies its code to the "Blank Presentation.pot" file in the Templates directory. This file is used as base while creating a new presentation. As a result the virus code is automatically copied to newly created presentations.
Depending on the system random counter the virus shows the previous slide of the infected presentation. Also depending on the random counter the virus displays the MessageBox:
PPT.ShapeMaster v0.1 /1nternal

Home