Virus Database

Rideon.4313

Description Rideon.4313

It is a dangerous memory resident polymorphic and stealth parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are closed. The stealth routines are activated on files searching and opening calls. When infected files are opened, the virus disinfects them. When they are searched, it decreases their size back to the original value.
When the anti-virus F-PROT, or data compressing utilities RAR, ARJ, PKZIP, LHA, or BACKUP utility is executed, the virus disables some of its stealth routines. When the F-PROT anti-virus is run, when it reads data from files (to load data or scan files for viruses), the virus copies random data to its read buffer.
The virus deletes the anti-virus data files:
ANTI-VIR.DAT CHKLIST.MS SMARTCHK.CPS AVP.CRC IVB.NTZ CHKLIST.TAV

The virus polymorphic engine has several bugs and in some cases produces the polymorphic loop that is not able to decrypt virus code. Such files halt the system when executed.
On July 4th the virus erases the CMOS memory and displays the message:
-- [RIDEON] (c) ThE_WiZArD / DDT (Spain) --
###### ## ##### ##### ####### ### ##
# # ## ## ## ## ## ## #### ##
###### ## ## ## ## ## ## ## ## ##
## ## ## ## ## ##### ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## ##
## ## ## ##### ##### ####### ## ####

The virus also contains the text strings:
#ThE_WiZArD
You`ll take my life but iïll take yours too
For those about to rock all I salute you!

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Reformasi

Description Macro.Word97.Reformasi

This is a stelth macro-virus. It infects the global macros area (NORMAL.DOT template) on infected document opening. Other documents get infected on their opening, closing and saving. While infecting a document, the virus adds the AutoCorrect entry to the document that replaces the text "yond" with a space character.
Before saving victim documents, the virus sets up hidden property for a whole text in a document and clears this property on document opening. As a result, in desinfected documents, the whole text will be invisible. One way to solve this problem is to check "View/Formatting marks/Hidden text [v]" checkbox in "Tools/Options" dialog box. Another way to make the text visible is do a commands click menu "Edit/Select All", then in "Format/Fontall" dialog box uncheck "Effects/Hidden [ ]" checkbox.
To hide itself, the virus disables the keys Alt+F11 and Alt+F8, blocks opening Visual Basic Editor, and ToolsMacro and Organaizer dialogue boxes.
The virus displays a non-standard dialogue on click "Help/About Microsoft Word"
Other two dialogs virus displays on choosing "File/Exit" menu if the day of the week is Friday.

Macro.Word97.Remplace

Description Macro.Word97.Remplace

This macro virus contains seventeen macros in one module "Akrnl": Akrnl, AutoExec, AutoNew, AutoPrint, FileNew, FileClose, FileExit, autoOpen, AutoExit, AutoClose, ToolsMacro, FileTemplates, ViewVBCode, RandomRemplace, Remplace, Sauve, DelVir.
It infects the global macros area on opening an infected document (AutoOpen) and infects other documents on opening, closing, printing or creating (FileOpen, AutoPrint, FileClose, FileNew). Before infecting the virus removes all modules from infecting document and global macros area.
The virus turns off the Word virus protection (the VirusProtection option).
On opening infected document if day of month is above 22, the virus with probability about 27% replaces text "donc," with one of following strings:
ainsi, si j'en crois ce que mon incompŠtant de professeur me dit,
ainsi, mon chat a perdu ses dents. De plus,
ainsi, selon ma grand-m¨re,
ainsi, la mati¨re du cours est plate. De plus,

Home