Virus Database

Macro.Word97.Redter

Description Macro.Word97.Redter

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen
AutoClose
FuckThemAll
ToolsMacro
ToolsCustomize
ViewVBCode
Delay
The virus replicates when a document is opened or closed.
AutoOpen, AutoClose:
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
Delay:
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000
Next
FuckThemAll:
Main virus routine. Checks system parameter 'Country' and if this is 'US' , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot) of the 'RedTerrorist' module. Repeated infection will not occur. If the module is not found, the virus creates an export file 'user.vxd' in %windir%\%temp% catalogue and infects the document. After that the virus removes the export file 'user.vxd'
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
ToolsMacro:
Top level process aborted, cannot continue
ToolsCustomize
Configuration too large for memory
ViewVBCode
Error in EXE file, program too big to fit in memory

Check other viruses! Be aware! Use Antiviral Software

Int10 Family

Description Int10 Family

These are not dangerous memory resident boot viruses. They hook INT 10h, 13h and 1Ch. Int 10h is used for INT 13h interception, INT 1Ch - for trigger routine, INT 13h - for infection. They hit MBR of hard drive and boot-sectors of floppy-disks. The viruses encrypt original sector before saving it. Sometimes they call some video effect.

Int12

Description Int12

It is a harmless memory resident boot virus. The virus infects the boot sector of floppy disks and first boot sector of the C: drive. While infecting a boot sector the virus searches for the string "non-system disk" (any-cased) in there, and replaces the following texts with the virus installation code (40 bytes). Then the virus writes its main code to the last sector on the disk.
While loading from an infected disk the virus installation code reads the main virus code and jumps to there. Then the virus hooks INT 12h, waits for DOS loading process, then hooks INT 13h and infects the disk boot sectors that are accessed.
The virus contains the encrypted text strings:
LOVE
non-system disk

Home