Virus Database

Macro.Word97.ZMK.J

Description Macro.Word97.ZMK.J

Analysis by and (c) Paolo Monti
This macro-virus was written in VBA (Visual Basic for Applications) for MS Word 8.0 (Office 97). It contains very dangerous payloads, and it displays message and dialogue boxes concerning the World Cup Soccer Championship France 98. The VBA project of the virus contains one form named Pronostic and a module implementing 8 different macros:
AutoExec: calls the macro Pronostique or WC98Payload (see below).
AutoOpen: infects the global template and displays a messagebox.
FileSaveAs: infects new documents, saving them as templates, and displays a messagebox.
FileTemplates: displays a messagebox.
Pronostique: displays a dialogue box where the user is forced to make a choice, and implements a number of different payloads.
ToolsMacro: displays a messagebox,
ViewVBCode: shows the MS Word Assistant displaying a message,
WC98Payload: modifies the contents of an active document.
The following instructions can be found at the beginning of all macros:
Disable the possibility to interrupt macro execution
Enable the execution of automatic macros
Disable the antivirus protection built in Ms Word
Disable the confirmation for the global template saving, usually asked before exiting from the program.
The automatic macro AutoExec, executed at the startup of MS Word or when a general template is loaded, gets the current system date and time. If the day number is 12 or the seconds of the system clock are at 12, the AutoExec macro calls the macro Pronostique or the macro WC98Payload. The choice between the two macros is applied randomly. Each has a 50% probability to be called from AutoExec macro.
The macro Pronostique displays a dialogue box on the screen (the form Pronostic) by which the user is asked to choose among 9 different teams partecipating in the France 98 Championship. If the user chooses the same team selected randomly by the virus, a messagebox of congratulations is displayed on the screen, then the virus goes into an endless loop showing a message in the status bar. Otherwise, the virus applies a randomly selected payload. With a probability of 40%, the virus appends the following lines to the file C:AUTOEXEC.BAT:
cls
Echo La coupe du monde 98 c'est gÊnial!!!!
Echo y|Format c: /u /v:WorldCup98
Echo o|Format c: /u /v:WorldCup98

27% of the time, the virus tries to delete all files in the directories C:DOS and C:WINDOWSCOMMAND and the files C:MSDOS.SYS and C:IO.SYS.
In the remaining cases, the virus modifies the text of the active document and prints it.
The macro WC98Payload creates in the active document a WordArt object, applies to it a number of rotation effects, and then erases it.
Inside the project of the virus there are some messages in French:
"VIVE LA COUPE DU MONDE 98!!!!"
"Vive le football!!!, Vive la Coupe du Monde 98!!!"


AVP detects/disinfects this virus since weekly update 980706

Check other viruses! Be aware! Use Antiviral Software

Kusumah.3968

Description Kusumah.3968

This is relatively harmless memory resident encrypted parasitic virus. It hooks INT 8 and 21h, and writes itself to the end of COM and EXE files that are accessed. The virus searches for "COMMAND.COM" files, and infects them upon each accessing to executable files.
Some time after installation, the virus displays the following message:
Moslem Power Never End.(P) KuSuMaH'S ElEkTrO UnJaNi
On Fridays virus creates "GERILYA.COM" file and writes the program there. While executing, this program displays:
Gerilyawan Elektro UNJANI Bdg-Cmh. (C) KuSuMaH'S.
The virus sets new volume labels on floppy disks:
KUSUMAH S
The virus also contains the text string:
KUSUMAH S ) UNJANI, Bandung

Kvapavka.879

Description Kvapavka.879

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. On 27 of any month the virus displays the message:
Kvapavka by SH-Software (c) 1995 v 1.2

The virus also contains the text strings:
I`love PC Revue ! I'NEED JOB !.*.COM Infector.>><<
Fuck of SPS Brezno.VIVAT Z./n.HronomFor M.Trnka SHSJ

Home