Virus Database

Macro.Word97.Gamble

Description Macro.Word97.Gamble

This is a stealth macro virus. It contains 3 modules and 11 functions: AutoOpen, Gamble1, ToolsMacro, CommandButton2_Click, CommandButton5_Click, Image1_Click, Label2_Click, Label3_Click, Label4_Click, UserForm_Click, CommandButton1_Click.
On opening an infected file the virus disables the VirusProtection and infects the global macros area (NORMAL.DOT), then on opening not infected files the virus infects them.
The virus substitutes the Tools/Macro menu (stealth), on pressing the "Create" button it displays the MessageBox:
Memory Allocation Error
Not Enough Memory To Complete The Request

On Mondays the virus displays the DialogBox:
Word Macro97 Virus "The Gambler" By Talon 1997
You System Is Infected By "The Gamble" Word Macro Virus
I Will Give You One Chance To Save Your Files, If You Can Guess The
correct Number between 1 And 10, I Will Return Your System To Your Control
If Your Wrong, Well We Won`t Go There. Do Not Not Turn Your System
Off. Your system FIles Have Been Encrypted With A Random Number, If This
Is Not Completed Your System Will Not Be Able To Reboot. Just Play Along
And Hope Your A Good Guess.
When Your ready To Play Press Here

On pressing the mouse button on Dialog the virus displays the MessageBox:
Trying To Cheat??
Are You Trying To Cheat?? One More Attempt like That And it's Over

On pressing "HERE" button the virus ask for a number from 1 till 10. On entering '5' the virus display the MessageBox:
Your A Winner
Good Guess, It's All Yours

In any other case the virus sets the password to current documents and exits Windows.

Check other viruses! Be aware! Use Antiviral Software

Jd Family

Description Jd Family

These are memory resident parasitic viruses. They copy themselves to the system memory at the address 0043:0100, hook INT 21h and write themselves to the end of COM files that are executed or opened.
Some of these viruses detect their already installed TSR copy with "Are you here?" call (INT 21h, AX=3FFFh), the TSR part returns 4A44h ('JD') in AX register.
Sometimes "Jd.448,460" delete the files instead of opening them.

JDC family

Description JDC family

These are nonmemory resident polymorphic parasitic viruses. They search for COM and EXE files in current and parent directories, then for the COMMAND.COM file and write themselves to the end of the file. While infecting files packed with PKLite the viruses patch PKLite entry code and write "JMP Virus" instruction into the middle of PKLite code.
The viruses use two levels of polymorphic encryption as well as anti-debugging tricks based on i386 features. Under debugger they display the message:
This program requires 80386 or better.

The viruses also contain the text strings:
A JDC PRODUCTION
~~TEMP~~.TMP
If you want to contact us, call:
809-5100 and 809-5031

JDC.6891
It is a very dangerous virus. On Thursday 13th it erases the hard drive and floppy disks sectors. On April 1st it overwrites the MBR of the hard drive with a program that displays on loading:
VI(RUS)
Insert system disk in drive C: and
press enter or space.

The virus also contains the text in Russian and in English:
This program is incompotible with PC-DOSall
MCS 1994
=========================================
.xXXxQEE.D-VersionxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision: 005
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
-----------------------------------------
This is D-VERSION!!! (Pre-release)
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.DVersion"
===[ T·H·E E·N·D ]====================================
*.CoM *.eXe .. COMSPEC=
---[ QEE 1.42 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

JDC.7616
It is not a dangerous virus. Depending on the system date and time the virus displays a picture containing the texts:
You have a VIRUS now
Press any key to continue
This program created special for ]/[ 2 /
Copr (c) 1997 JD

The virus also contains the text strings:
Sorry, there is a small error: this program
is incompotible with PC-DOS... :(
=========================================
.xXXxQEE.JV.Dr.WebxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision 004
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Future ]==========================================
You will see in next version:
- 2 new encryptors:
- RCG (Random Code Generator) [10% done]
- TTT (The Time Tracer) [ 0% done]
- More cool Windows'95 halter [ 0% done]
Possibly:
- Int 21h tracing
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.JV.DrWeb or QEE.JV.Anti95
or, in other case, QEE.AntiWin95. It is only first
virus from large family"
===[ Thanks ]==========================================
To: HR ( JDC ), VD (S&K, VI), DP (xxx), PP (xxx),
DZ ( P), ID ( P) and others...
===[ T·H·E E·N·D ]====================================
COMSPEC=C:COMMAND.COM
[ QEE 1.41 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

Home