Virus Database

Nexiv_Der.3886

Description Nexiv_Der.3886

It is a very dangerous memory resident polymorphic multipartite virus. It infects the disk boot sectors and COM files only. The virus code is polymorphic in the files as well as in boot sectors.
While executing of infected file the virus infects first boot sector of the hard drive and returns to DOS. While loading from infected sector the virus hooks INT 13h, waits for DOS loading procedure, hooks INT 21h and then infects COM files that are executed and boot sectors of the floppy drives that are accessed.
While loading from infected floppy disk the virus also infects first boot sector of the hard drive.
The virus uses quite complex routine while infecting the COM files. It reads 20h bytes from the file header, checks that the file is of the COM format, hooks INT 3h, INT 13h (another one INT 13h handler), and returns the control to original INT 21h code. While reading the disk files by INT 13h the virus compares the data that is read with these 20h bytes of the file header, and waits for the moment when DOS loads the file into the system memory to execute it. Then the virus patches the first byte of data buffer with CCh code (call to INT 3), and continues INT 13h. As the result when that file is loaded into the system memory the first command that is executed is call to INT 3.
The virus intercepts that call, restores the original byte that is patched with CCh code, then hooks INT 1 (tracing) and traces the file. While tracing the virus skips 256 or more instructions, then waits for JMP or CALL instruction, and overwrites that JMP/CALL with JMP_to_virus code. Then the virus encrypts itself, and saves to the file end.
As the result the virus writes the JMP_to_virus code into the file middle, and the header of the file is not modified.
The virus different conditions while infecting the files to prevent corruption, but anyway it may corrupt the file while infecting them. While infecting the hard drive the virus destroys the C: drive system date, if the hard drive contains 20 or less sectors per track.
The virus does not manifest itself in any other way, it contains the text string:
Nexiv_Der takes on your files

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Kiffer

Description Macro.Word.Kiffer

This is German-specific Word macro virus. It contains six macros, some macros have random selected names:
Documents MICROSOFT.DOT (infected Word)
<random> dateispeichernunter
extrasmakro extrasmakro
dateischliexen <random>
dateidokvorlagen dateidokvorlagen
<random> <random>
autoopen <random>

It infects the system on opening and on closing an infected document. To affect Word the virus creates the infected MICROSOFT.DOT template in the Word startup path. Documents get infected when saved with a new name.
The infection-routine is placed in a macro with a random name. This macro is encrypted in documents and is decrypted in case of need. The names of macros (random names) are stored in documents' variables (in case of documents), in case of MICROSOFT.DOT file (infected system) they are stored in the WIN.INI file in the section [embedding] in the items vxdRNDM, TaskRNDM, SystemRNDM.
On the 30th of any month the virus displays the message:
Leeglize Cannabis !! R.M.M (C) by MaD KiFFeR 05.09.98

On the 15th the virus appends to the AUTOEXEC.BAT file the commands that cyclically display the text:
Infected with RnDm MuTanT MuTaGeN (c) MaD KiFFeR 05.09.98

The virus contains the comments:
***********************************
* WM RnDm MuTaNt MuTaGeN *
* vers Beta *
* Polymorphism/Stealth *
* encrypted by RMEG *
*Random Macro Encryption Generator*
* fools F/WIN32 1.13, F/WIN 4.38 *
* Winguard, F-PROT3/F-MacroW1.1 *
* etc.!! *
* only works with WORD95ger *
* F**k slow WordBasic *
* special Thanx to [SLAM] Mag *
* 05.09.98 /Germany *
* (c)by MaD KiFFer *
***********************************

Macro.Word.KillDLL

Description Macro.Word.KillDLL

This is a very dangerous virus. It contains only one macro: AutoOpen. On opening a file the virus infects the system, if the file is infected. Otherwise the virus infects this file. The virus then deletes all *.D?? files in the C:WINDOWSSYSTEM directory.

Home