Virus Database

Macro.Word97.Mutalisk

Description Macro.Word97.Mutalisk

This stealth polymorphic macro virus contains ten procedures in one module "ThisDocument": autoopen, autonew, viewvbcode, toolsmacro, filetemplates, and three macros with randomly generated names.
The virus infects the global macros area on opening an infected document (AutoOpen). Other documents get infection on their opening and creating. While infecting the virus turns off the Word virus protection (the VirusProtection option). Then the virus searches on the C: drive for AVP, F-PROT95, F-Macro, McAfee Virus Scan, Norton AntiVirus, TBAVW95 and some other anti-viruses and deletes their files.
If mIRC client is installed in the "C:MIRC" folder, the virus stores just opened or created document as "C:MIRCBACKUPY2K.DOC" and deletes mIRC default script (file SCRIPT.INI, it is executes every time mIRC client starts). The virus then tries to create a new SCRIPT.INI to spread itself via IRC channels, but in result of a mistake this does not happens.
On document open the virus opens the Visual Basic Editor window. On creating a document it closes Visual Basic Editor window if it is open. On pressing Alt-F11 combination (show Visual Basic Editor command) the virus clear first code module in active document and first one in global macros area (what contains virus code) and only after that makes Visual Basic Editor window visible.
The virus polymorphic engine replaces names of some procedures and inserts random generated comments into virus code. In result of a bug sometimes the engine produces the code that does not work.

Check other viruses! Be aware! Use Antiviral Software

Arianna.3426

Description Arianna.3426

This is a memory resident multipartite, encrypted and stealth virus. While executing an infected file it infects the MBR of the hard drive. While loading from infected MBR it hooks INT 1Ch, waits for DOS loading, then hooks INT 13h for stealth algorithm while accessing to infected MBR, and INT 21h to infects the files. It writes itself to the end of EXE files that are accessed. When an infected file is opened, the virus disinfects it.
Sometimes the viruses manifest themselves with a video effect and erase the original MBR sector (not first hard drive sector, but the sector containing the original MBR that was saved while infecting a disk). The viruses contain the text strings:
Coded in BARI ThanX to DOS UNDOCUMENTED
Check the code to discover the virus name
It is very easy ! Bye !!

ArjDropper.402

Description ArjDropper.402

It is a harmless nonmemory resident virus-worm 402 bytes of length. When an infected file is executed, the virus searches for ARJ archives and appends its copy to archives that are found. The virus copy in archives is stored in format of ARJ data and has the filename RUNME.COM. This RUNME.COM file contains a copy of the virus, and being extracted from infected archive it may spread the virus code to other archives. The virus contains the text strings:
*.ARJ
ARJDrop by Qark/VLAD
RUNME.COM

Home