Virus Database

Pelf.2132

Description Pelf.2132

(aka Lindose)
This is a harmless non-memory resident parasitic multipartite virus. It infects Windows executable files as well as Linux ones (Windows PE files and Linux ELF files).
The virus is written in Assembler, and is about 2.5 Kb in size. It does not manifest itself in any way, and it is like a multiplatform Windows-Linux virus concept.
The virus contains the text strings:
[Win32/Linux.Winux] multi-platform virus by Benny/29A
This GNU program is covered by GPL.
To infect executable files of both systems, and to spread under both these system, the virus routines are separated into two blocks: the former block is activated under Windows, it then looks for Windows and Linux executable files and infects them; the latter block is activated under Linux, looking for executables files and infecting them as well.
The Windows part
It searches for the all files in the current and upper directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each (Windows version).
The Linux part
This part searches for the all files in the current directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each type (Linux version).
Infecting Windows PE files
The virus scans for the ".reloc" section. If this section is found, the virus writes itself to the middle of the file. It saves the original Entry Point address, and restores the PE file after it has finished its work.
Infecting Linux ELF files
The virus writes itself to the Entry Point of the file. It saves original data at the end, and saves code from Entry Point and restores the ELF file after finishing its work.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Natas

Description Macro.Word97.Natas

It is polymorphic and stealth macro virus. It contains six macros in the one module "Chaos": AutoOpen, FileNewDefault, FileNew, ToolsMacro, FileTemplates, ViewVBCode, FormatStyle.
The virus infects the system on opening an infected document. Infection does not modify the NROMAL.DOT file - the virus saves infected file in Startup path and in C:WINDOWSSHELLNEWWINWORD8.DOC directory. Documents get infection only on creating.
The virus polymorphic engine inserts at random places into virus code comments: "Rem " or "'". The virus disables macro code viewing (stealth) by dummy macros ToolsMacro, FileTemplates, ViewVBCode.
The virus contains the comments:
W97M/Chaos by Lord Natas
2/12/98 (its about time I released it!)
"Without the threat of death there's no reason to live at all"
-Marilyn Manson

Macro.Word97.NightShade

Description Macro.Word97.NightShade

This macro virus contains only one macro named NightShade. This macro contains auto-function AutoClose that allows the virus to infect the system and documents on file closing. Depending on the system date and random counter the virus displays the text:
Attention:
Word97.NightShade by Pyro [VBB]

On Friday 13th it sets to documents the password "NightShade".

Home