Virus Database

Bagnara.694

Description Bagnara.694

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are executed. While infecting the files the virus writes to the file end one of its two decryption routines, and then the encrypted code. While infecting the file length is increased with 694 or 699 bytes in depending on the selected decryption routine.
On 6th, June the virus also hooks INT 8 and blinks with Num/Caps/Scroll-Lock indicators.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Kerranga

Description Macro.Word.Kerranga

This is a very dangerous virus. It contains five macros: Autoexec, FileSaveAs, FileOpen, FilePrintDefault, ToolsMacro.
On Autoexec the virus disables Word virus protection, if it presents in the Tools/Options/General menu, as well as prompt on NORMAL.DOT saving. On FileOpen and FileSaveAs the virus runs its infection routine. On ToolsMacro the virus opens 65 new documents, but does not execute original Tools/Macro menu. On FilePrintDefault on 18:00 the virus appends to the end of document the text:
Kerbaffely Urgo Kerranga! Kerranga!!!!

Then it deletes all *.DOC files in the current directory.

Macro.Word.Kiffer

Description Macro.Word.Kiffer

This is German-specific Word macro virus. It contains six macros, some macros have random selected names:
Documents MICROSOFT.DOT (infected Word)
<random> dateispeichernunter
extrasmakro extrasmakro
dateischliexen <random>
dateidokvorlagen dateidokvorlagen
<random> <random>
autoopen <random>

It infects the system on opening and on closing an infected document. To affect Word the virus creates the infected MICROSOFT.DOT template in the Word startup path. Documents get infected when saved with a new name.
The infection-routine is placed in a macro with a random name. This macro is encrypted in documents and is decrypted in case of need. The names of macros (random names) are stored in documents' variables (in case of documents), in case of MICROSOFT.DOT file (infected system) they are stored in the WIN.INI file in the section [embedding] in the items vxdRNDM, TaskRNDM, SystemRNDM.
On the 30th of any month the virus displays the message:
Leeglize Cannabis !! R.M.M (C) by MaD KiFFeR 05.09.98

On the 15th the virus appends to the AUTOEXEC.BAT file the commands that cyclically display the text:
Infected with RnDm MuTanT MuTaGeN (c) MaD KiFFeR 05.09.98

The virus contains the comments:
***********************************
* WM RnDm MuTaNt MuTaGeN *
* vers Beta *
* Polymorphism/Stealth *
* encrypted by RMEG *
*Random Macro Encryption Generator*
* fools F/WIN32 1.13, F/WIN 4.38 *
* Winguard, F-PROT3/F-MacroW1.1 *
* etc.!! *
* only works with WORD95ger *
* F**k slow WordBasic *
* special Thanx to [SLAM] Mag *
* 05.09.98 /Germany *
* (c)by MaD KiFFer *
***********************************

Home