Virus Database

Orchid Family

Description Orchid Family

These are harmless nonmemory resident encrypted parasitic viruses. "Orchid.120" is overwriting virus. They search for .COM files and write themselves at their beginning. They contain the text strings:
"Orchid.120,311": Killed by my orchidall
"Orchid.351": Time goes fast without you
Move file pointer to start of file

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Printer

Description Macro.Word.Printer

This is an encrypted Word macro virus. It contains 5 macros in documents and 10 in NORMAL.DOT:
Documents NORMAL.DOT
LPT1 FileOpen, LPT1
LPT2 FilePrint, LPT2
Canon FileSaveAs, Canon
Epson Epson, FileTemplates, ToolsMacro
AutoOpen AutoOpen

The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs).
On entering the Tools/Macro the virus displays the MessageBox:
Weeee Weeee

On printing documents the virus writes to the status line the message and draws it to right:
Know what Dwira Oktorianto is, before it is too late

Macro.Word.Prizm

Description Macro.Word.Prizm

This is an encrypted Word macro-virus. It contains nine macros: PRiZM, AutoExec, AutoOpen, FileOpen, FileSave, FilePrint, FileSaveAs, ToolsMacro, and FileTemplates.
It is based on the "Word.Cap" virus, has a similar structure and instructions set. It replicates upon document opening, closing, and saving.
While printing, the virus appends a string to the end of the document that is printed:
Battle of life. Capital!!!

The virus has an unusual method of infection. While infecting, the virus performs several steps, uses the system registry, and drops an additional EXE file. The infection routine is placed in the virus' code as a set of text strings that are DDE (Dynamic Data Exchange) instructions. If needed, the virus executes them, and these instructions copy the virus' code to target the documents and templates.
To execute its DDE instructions, the virus saves them to the system registry in the "HKEY_CLASSES_ROOT###fileshellopenddeexec". The virus then registers a new extension "###", and sets DDEEXEC as a handler of files with such an extension.
The virus then creates a randomly named EXE file in the Windows temporary directory, and writes a short program into it. This program only creates and opens the "PRiZM.###" file. This file-name extension is linked with DDEEXEC, and as a result, Windows activates the virus, DDE instructions, executes them and they copy the virus code to a victim file.

Home