Virus Database

Macro.Word97.Metamorph

Description Macro.Word97.Metamorph

It is a stealth macro virus. It contains five functions in documents in the one module "Metamorph": AutoOpen, FileTemplatesTemp, ToolsMacroTemp, ViewVBCodeTemp, AutoExecTemp. In the NORMAL.DOT the virus contains six functions in one random named module: FileSaveAs, AutoOpenTemp, FileTemplates, ToolsMacro, ViewVBCode, AutoExec. The name of this module is saved in the METAMORPH.INI file in section [Infected] in line Reponse.
The virus infects the global macros area on opening an infected document. Other documents get infection on saving with new name (FileSaveAs). The code of virus is different in documents and NORMAL.DOT - the virus modifies it while copying itself into the system. It creates new infection function FileSaveAs and stealth-functions ToolsMacro and ViewVBCode. While infecting documents the virus imports its original code from the C:METAPH.LOG which is created when the virus infects the system.
When Word starts the virus changes the names of menu items "File", "Edit", "View", "Format" with their french variants. Depending on the system date and time the virus displays the MessageBoxes:
Virus Metamorph
Attention, j'ai contaminé votre ordinateurall
Virus metamorph
Il est
L'heure de metamorph
Virus Metamorph
Au revoir...
Virus Metamorph
Poufffff!!!!!!

On displaying the last MessageBoxes the virus erases the files:
C:WindowsSystem*.*
C:WindowsCommand*.*
C:Windows*.Com
C:Dos*.*

Check other viruses! Be aware! Use Antiviral Software

Exploit.Applet.ActiveXComponent

Description Exploit.Applet.ActiveXComponent

Exploits a security breach in MS Internet Explorer and Outlook - (com.ms.activeX.ActiveXComponent security vulnerability).
This security flaw gives remote scripts and HTML pages access to any ActiveX control, which is installed on a victim's computer. The remote script can gain full control of a victim's computer, including the ability to read and write files on hard disks.
Trojan programs like JS.Trojan.Seeker and JS.Trojan.Fav use this vulnerability to modify a browser's start and search pages and to add links to the "Favorites" folder of Internet Explorer.
The Microsoft company released a patch that removes the com.ms.activeX.ActiveXComponent security vulnerability. We recommend visiting http://support.microsoft.com/support/kb/articles/Q275/6/09.ASP and installing this patch.

Exploit.CodeBaseExec

Description Exploit.CodeBaseExec

The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Microsoft Internet Explorer 5.01, 5.5 and 6.0 treat objects invoked on an HTML page with the codebase property as part of the Local Computer zone, which allows remote attacks to invoke executables present on the local system through objects such as the popup object.
Vulnerability IDs:
bugtraq id: 3867
cve: CAN-2002-0077
More information on this vulnerability can be found at the following links:
http://www.microsoft.com/technet/security/bulletin/ms02-015.asp?frame=true#CVE-CAN-2002-007
http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3867
Microsoft released a patch on March 28, 2002 that eliminates this vulnerability in Internet Explorer. To download this patch go to the following link: http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp

Home