Virus Database

Macro.Word97.Class

Description Macro.Word97.Class

This virus contains two macros in one Module, "ThisDocument," and the macros have different names in documents and NORMAL.DOT:
Documents NORMAL.DOT
AutoOpen AutoClose - infection and trigger routines
ViewVBCode ToolsMacro - stealth, disables viewing macro code

The virus infects the global macros area upon the opening of an infected document. While infecting, the virus exports virus code to the C:CLASS.SYS and inserts it into NORMAL.DOT. Documents are infected in the same way.
The virus mutation (polymorphic) routine inserts comments into virus code, containing a user name, current date and time, and information about the active printer.
The virus uses an effective way to hide its code. By using special WordBasic operators, the virus installs its module, not into the standard area of macro programs, but into the area of Word classes - the area of standard routines that handle Word events, i.e., Word kernel. The virus appends its code to documents and templates, not as a user application (macro program), but as a "native" Word component. As a result, the virus is not visible in Tools/Macro and File/Templates (for what reason does the virus then hook ToolsMacro?)
The virus disables the AutoProtection. On the 31st, the virus displays the MessageBox:
This Is Class
?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?
? VicodinES /CB /TNN ?
?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?

Class.d
Each month from June until December on day 14, the virus displays the message:
Class.Poppy
I think is a big stupid jerk!

The virus also changes values in the registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRegisteredOwner = "VicodinES /CB /TNN"
RegisteredOrganization = "-(Dr. Diet Mountain Dew)-"

Class.bs
Upon infection, this virus modifies the system registry by writing "Clazz" as the registered owner of this Windows copy. Upon trying to view, the virus codes it with a probability of 25% and sets the "Clazz" password for active document, or, with the same probability, deletes all files in the current folder.

Check other viruses! Be aware! Use Antiviral Software

Hobo.369

Description Hobo.369

It is a harmless memory resident partly encrypted parasitic virus. It copies itself to Interrupt Vectors Table and hooks INT 21h. On ChangeDirectory DOS call it searches for COM files in current directory, then writes itself to the end of file. The virus does not manifest itself in any way. It contains the text strings:
*.com
'Hobo' Created by Sozer

HoChiMinh

Description HoChiMinh

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files. Three hours after installing into the memory the virus displays the message:
This playgame was writen by Nguyen The Quang, Nacentra Co.
101 - Hai Ba Trung, St.1 - Ho Chi Minh City, Phone: 96282
Press any key to Continue!

Home