Virus Database

Macro.Word97.Sebelas

Description Macro.Word97.Sebelas

This is a stealth macro-virus. It contains eighteen procedures in one module "xSebelas": xSebelasInit, AntiMakro, DisplayPath4, Mcopy, ShowForm, FileOpen, AutoOpen, ViewVBCode, AutoExec, AutoExit, ToolsMacro, FileTemplates, FormatStyle, ReFresh, AutoClose, FileExit, ToolsOptions, and HelpAbout.
The virus infects the global macros area upon opening an infected document (AutoOpen), and infects other documents upon opening and closing (AutoOpen and AutoClose). Upon exiting MS Word, the virus also creates two infected documents in the MS Word start-up directory: these documents have the names BIOS.VXD and WINSSPI.DOT.
The virus turns off the Word virus protection (the VirusProtection option), hides the Tools/Macro menu (stealth), and blocks Visual Basic editor opening.
Upon opening any document, the virus checks the system date and displays the following messages:
on February 4th:
eX-Sebelas release 3.9
'Met ulang tahun Natalie Imbruglia !

on November 1st:
eX-Sebelas release 3.9
'Met ulang tahun Erry Delphiero !

on October 7th:
eX-Sebelas release 3.9
'Met ulang tahun DaNnY DeSPiRo !

On the 11th of every month starting from April 11, 1999, the virus sets to white the font color for the whole text in a document (hides the text - white on white), and then inserts, into the end of the document, the text (with black color):
Viva eX-SeBeLaS !

Starting from April 11, 1999, the virus, every 30 minutes, displays a dialogue window with a picture. The same dialogue window is displayed upon entering the Help/About menu.
Also starting from April 11, 1999, upon exiting MS Word, the virus renames the AUTOEXEC.BAT file to XSEBELAS.BAT and creates a new AUTOEXEC.BAT file that calls the original program (stored in XSEBELAS.BAT) and then displays the text:
+--------------------------------------------------------------------+
| eX-SeBeLaS release 3.9 |
| [ special dedicated to Natalie 'Jane' Imbruglia ] |
|--------------------------------------------------------------------|
| DaNnY DeSPiRo : |
| Salam saya buat anak-anak SMAN 11 Bandung, Analisis Kimia - UNPAD, |
| Delapan Makhluk Cute (DMC), QLas (KIR SMUN 11 Bandung), 'truz buat |
| Jihan Fahira (kapan kamu mampir ke rumah lagi ? e-mail saya dong), |
| teman-teman saya di alam fana ini dan spesial buat cewek lucu yang |
| mirip Natalie Imbruglia all [despiro@hotmail.com] |
|--------------------------------------------------------------------|
| ErRy DeLPhIeRo : |
| BuAT aNAk-AnAk AMIK-SuKapURa TSM, AMIK-BaNDuNg, DJEPROETH '95, 'en |
| BaRuDaK TeAtEr NuAnSa, BuAt GadSam '95 : DoNt FoRgEt Me ... E-MaiL |
| GuE YaCh ... Buat ANaK-aNAk 'ACC', Buat GaDiS-GaDIs YaNG CaRe 'en |
| MaU KeNAlaN AMa ErRy di TuNGgU LHo e-maiLnyA, 'en SpECiaL SmILe To |
| LuTju GiRl NaTaLiE ImBrUgLiA ! [delphiero@hotmail.com] |
|--------------------------------------------------------------------|
| ... sorry for sending you a virus (maybe more than one), we just - |
| want to prove to ourselves that virus programming is very fun ... |
+--------------------------------------------------------------------+

Check other viruses! Be aware! Use Antiviral Software

DirII.1024.a

Description DirII.1024.a

This is a memory resident dangerous stealth virus. It infects COM and EXE files during read/write operations with the sectors which belongs to the directories, containing information about these files. The virus places its own bodies into the last cluster of the infected logical disk. It marks this cluster as the last in the file cluster chain. When the virus infects the file it replaces only the number of the first cluster of the file. The new number will point to the body of the virus. So the virus don't change the contents and the size of the infected file and besides there will be only one copy of the virus on the disk.
During initialization the virus penetrates into the DOS kernel, modifies the address of the system disks driver and hooks all DOS calls to this driver. This virus uses powerful stealth mechanism on the system driver level. That is why the virus is "invisible" during a read of infected files either with INT 21h or INT 25h. This virus uses direct access to DOS resources and overcomes practically all anti-virus "shields".
This virus spreads with great speed. If you try to load a file which can't be found on the disks, DOS will look for it in all PATH directories and the virus will infect all the files in these directories. During the first start this virus will infect all files in the current directory of C: drive.

DirII.1024.c

Description DirII.1024.c

This is a memory resident dangerous stealth virus. It infects COM and EXE files during read/write operations with the sectors which belongs to the directories, containing information about these files. The virus places its own bodies into the last cluster of the infected logical disk. It marks this cluster as the last in the file cluster chain. When the virus infects the file it replaces only the number of the first cluster of the file. The new number will point to the body of the virus. So the virus don't change the contents and the size of the infected file and besides there will be only one copy of the virus on the disk.
During initialization the virus penetrates into the DOS kernel, modifies the address of the system disks driver and hooks all DOS calls to this driver. This virus uses powerful stealth mechanism on the system driver level. That is why the virus is "invisible" during a read of infected files either with INT 21h or INT 25h. This virus uses direct access to DOS resources and overcomes practically all anti-virus "shields".
This virus spreads with great speed. If you try to load a file which can't be found on the disks, DOS will look for it in all PATH directories and the virus will infect all the files in these directories. During the first start this virus will infect all files in the current directory of C: drive.
It contains the text:
For piratesall

Home