Virus Database

MPHTI Family

Description MPHTI Family

These are very dangerous viruses. They hit Boot sectors of the hard and floppy disks. The viruses save the old boot sector of the infected disk onto the next sector to the last one of the root directory. According to their internal counters the viruses can destroy information on the starting 8 tracks of all accessible disks. The viruses hooks INT 13h, also contain the text "1991,MFTI" on cyrillic coding (MFTI - Moscow college).

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Redter

Description Macro.Word97.Redter

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen
AutoClose
FuckThemAll
ToolsMacro
ToolsCustomize
ViewVBCode
Delay
The virus replicates when a document is opened or closed.
AutoOpen, AutoClose:
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
Delay:
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000
Next
FuckThemAll:
Main virus routine. Checks system parameter 'Country' and if this is 'US' , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot) of the 'RedTerrorist' module. Repeated infection will not occur. If the module is not found, the virus creates an export file 'user.vxd' in %windir%\%temp% catalogue and infects the document. After that the virus removes the export file 'user.vxd'
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
ToolsMacro:
Top level process aborted, cannot continue
ToolsCustomize
Configuration too large for memory
ViewVBCode
Error in EXE file, program too big to fit in memory

Macro.Word97.Reformasi

Description Macro.Word97.Reformasi

This is a stelth macro-virus. It infects the global macros area (NORMAL.DOT template) on infected document opening. Other documents get infected on their opening, closing and saving. While infecting a document, the virus adds the AutoCorrect entry to the document that replaces the text "yond" with a space character.
Before saving victim documents, the virus sets up hidden property for a whole text in a document and clears this property on document opening. As a result, in desinfected documents, the whole text will be invisible. One way to solve this problem is to check "View/Formatting marks/Hidden text [v]" checkbox in "Tools/Options" dialog box. Another way to make the text visible is do a commands click menu "Edit/Select All", then in "Format/Fontall" dialog box uncheck "Effects/Hidden [ ]" checkbox.
To hide itself, the virus disables the keys Alt+F11 and Alt+F8, blocks opening Visual Basic Editor, and ToolsMacro and Organaizer dialogue boxes.
The virus displays a non-standard dialogue on click "Help/About Microsoft Word"
Other two dialogs virus displays on choosing "File/Exit" menu if the day of the week is Friday.

Home