Virus Database

Niko.3477

Description Niko.3477

It is a very dangerous memory resident parasitic virus. It traces and hooks INT 21h, hooks INT 3 (debugger), then it stays memory resident and writes itself to the end of COM and EXE files that are executed or opened. The virus if stuffed with anti-debugging tricks that cover more than 50% of the virus code.
Depending on the system timer the virus corrupts the data that is saved on disk (DOS call Write INT 21h, AH=40h). While creating a .AS* or .DB* file the virus depending on the system time corrupts it or creates a subdirectory with the same name. When any file is executed or opened, the virus calculates the CRC sum of its code, and the CRC is not correct, the virus "shakes" the screen, decrypts and displays the message and halts the computer. The message is:
FUCK YOU

Under debugger or depending on the system time the virus also calls the same effect but displays another message:
No viruses

The virus also contains the encrypted text strings in Russian and:
Oct(123,123,126) by one of student

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Printer

Description Macro.Word.Printer

This is an encrypted Word macro virus. It contains 5 macros in documents and 10 in NORMAL.DOT:
Documents NORMAL.DOT
LPT1 FileOpen, LPT1
LPT2 FilePrint, LPT2
Canon FileSaveAs, Canon
Epson Epson, FileTemplates, ToolsMacro
AutoOpen AutoOpen

The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs).
On entering the Tools/Macro the virus displays the MessageBox:
Weeee Weeee

On printing documents the virus writes to the status line the message and draws it to right:
Know what Dwira Oktorianto is, before it is too late

Macro.Word.Prizm

Description Macro.Word.Prizm

This is an encrypted Word macro-virus. It contains nine macros: PRiZM, AutoExec, AutoOpen, FileOpen, FileSave, FilePrint, FileSaveAs, ToolsMacro, and FileTemplates.
It is based on the "Word.Cap" virus, has a similar structure and instructions set. It replicates upon document opening, closing, and saving.
While printing, the virus appends a string to the end of the document that is printed:
Battle of life. Capital!!!

The virus has an unusual method of infection. While infecting, the virus performs several steps, uses the system registry, and drops an additional EXE file. The infection routine is placed in the virus' code as a set of text strings that are DDE (Dynamic Data Exchange) instructions. If needed, the virus executes them, and these instructions copy the virus' code to target the documents and templates.
To execute its DDE instructions, the virus saves them to the system registry in the "HKEY_CLASSES_ROOT###fileshellopenddeexec". The virus then registers a new extension "###", and sets DDEEXEC as a handler of files with such an extension.
The virus then creates a randomly named EXE file in the Windows temporary directory, and writes a short program into it. This program only creates and opens the "PRiZM.###" file. This file-name extension is linked with DDEEXEC, and as a result, Windows activates the virus, DDE instructions, executes them and they copy the virus code to a victim file.

Home