Virus Database

Macro.Word97.Spooky

Description Macro.Word97.Spooky

This macro-virus contains one macro Document_Close, and spreads on document closing.
While infecting the global macros area (NORMAL.DOT), the virus appends to the end of its code the additional information about the current user: system date and time, UserName and UserAddress. On the1st of each month, the virus saves this information to the HSF.SYS file (where "number" is a randomly generated number), then sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110. It seems that this address can be accessed by the virus writer that will get information about the speed of virus spreading.
The virus code contains the ID-strings:
<- this is a marker!
Logfile -->

Spooky.d (Caligula)
On the 1st run on a computer, the virus searches on the disk for a SECRING.SKR file containing PGP private keys. Then it sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110.
On the 1st of each month, the virus displays the message:
WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
No nsa,
No satellite,
Could map our veins.

The virus also changes Summary Info of documents:
Author Opic
Title WM97/Caligula Infection
Subject A Study In Espionage Enabled Viruses.
Comments The Best Security Is Knowing The Other Guy Hasn't Got Any.
Keywords Caligula, Opic, CodeBreakers

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel97.Papa.a

Description Macro.Excel97.Papa.a

This macro virus is based on the code of Word macro virus "Melissa" . The virus replicates under Excel97, but it does not infect other workbooks. Instead of this the worm sends own copies in Email messages by using MS Outlook. Because of its infection method, this is much more worm than ordinary macro virus.
The worm code contains one procedure Workbook_Open in module ThisDocument that automatically runs on opening workbook. To send its copies via email the virus uses VisualBasic abilities to activate other MS Windows applications and use their routines: the virus gets access to MS Outlook (if it is installed on the computer) and calls its functions. The virus gets from each Outlook address list of up to sixty addresses and sends to them a new message.
This massage has:
The subject: "Fwd: Workbook from all.net and Fred Cohen".
Message body: "Urgent info inside. Disregard macro warning."
The message also has attached workbook - it is current (worm's) workbook, and it is infected.
Depending on the system random counter (in one case from 3) the worm floods either web site "Fred Cohen & Associates" or site with IP address 24.1.84.100.

Macro.Excel97.Phantom

Description Macro.Excel97.Phantom

This is a stealth Excel97 macro-virus. It infects Excel97 spreadsheets (XLS-files). The virus contains two modules: ArtiLife and Replicator. The ArtiLife module contains the auto-function "auto_open". When an infected sheet is opened, the "auto_open" function takes control, infects Excel and sets the DeliverPayload function on execution at 16:00:00. While infecting Excel, the virus creates the infected ~XL.XLA in the Excel Start-up Path directory.
The virus is quite an unusual for macro-viruses: it has a parasitic-virus-like stealth mechanism - the virus removes its modules from sheets upon opening them and infects them again upon closing.
The DeliverPayload that is executed at 16:00 outputs the texts to the StatusBar:
The Phantom
Is watching you!
Beware!

Home