Virus Database

Mirror viruses

Description Mirror viruses

Mirror.482
This is a very dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of every third .COM file that is executed. This infector alters 4 bytes of the header (JMP Loc_Virus, DB 17h - ID-byte). Upon the 1000th INT 21h call, the virus "flips" the screen (up <-> down, right <-> left), and overwrites the MBR of the hard drive with a program that reboots the computer while loading (JMP FAR F000:FFF0).
The virus performs strange manipulations with the memory while creating its TSR copy (it is possible that there is a corrupted virus strain).
Mirror.924
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .EXE files that are accessed. Upon the 10th starting of an infected file, the virus turns the screen from left to right.
Mirror.1056
This is a benign memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of EXE files that are executed. In March, it also hooks INT 8 and some time after, it changes the active video font (EGA/VGA cards).

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Color (Rainbow, Color Changer)

Description Macro.Word.Color (Rainbow, Color Changer)

This is encrypted virus, it contains the macros:
macros, FileNew, AutoExec, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs, ToolsMacro

This virus infects the files while creating of new document (FileNew) and while saving the document with new name (FileSaveAs).
On each 300th call to the file functions (FileNew, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the section [colors] in the WIN.INI file, and sets the random selected colors for Windows components. New colors appear after next Windows loading. The virus keeps the trigger counter in the WIN.INI file in the [windows] section:
[windows]
countersu= 234

The virus allows executing of Auto-macros (AutoOpen, AutoClose and so on), it sets DisableAutoMacros to zero.
When the virus is active, it is impossible to activate Tools/Macro command. To manual disinfection it is necessary to delete virus' macros by using Organizer (Tools/Customize, Word command, then draw Organizer out to toolbar).

Macro.Word.Concept

Description Macro.Word.Concept

This is the first WinWord virus found "in the wild". The virus contains five macros: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects the files that are SaveAs'ed (FileSaveAs).
There are the text strings in the infected document:
see if we're already installed
iWW6IInstance
AAAZFS
AAAZAO
That's enough to prove my point

and other. The WINWORD6.INI on infected system contains the file:
WW6I= 1

On the first execution of the virus code (i.e. on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button.
Macro.Word.Concept.e
This virus contains four macros: Load, AAAZAO, AAAZFS, AutoOpen.
Macro.Word.Concept.f
This is an ancrypted virus. It contains seven macros: K, a678, PARA, SITE, I8U9Y13, PayLoad, AutoOpen.
Macro.Word.Concept.ab
This virus contains three macros:
Documents NORMAL.DOT
MSConcept MSConcept
sAevaSeliF FileSaveAs
AutoOpen nepOotuA

It contains the comments:
Presenting The Microsoft Concept Virus.
Updated by Pyro [VBB] (Author of Word97.NightShade)

Macro.Word.Concept.s
This is Japanese version of standard "Concept", it contains the same set of macros: AAAZAO, AAAZFS, AutoOpen, PayLoad.

Home