Virus Database

SG_Bomber family

Description SG_Bomber family

These are harmless nonmemory resident encrypted parasitic viruses. They search for COM files, then write themselves to the end of the file. While infecting the viruses write several parts of code that pass control to the virus code. The first block passes control to the second one, second jumps to third and so on up to ten jumps. The same technology is used by "Bomber" parasitic virus.
This viruses contain the text strings:
(c) Copyright by Beast.
(c) Stealth Group Bishkek.
(c) Stealth Group World Wide.
Infection by Beast. v0.91
Stealth Group World Wide.
[Bomber v1.0] by Beast. Stealth Group World Wide.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Layla

Description Macro.Word97.Layla

It is a dangerous stealth macro virus. It contains ten macros in one module "TJ": AutoOpen, LAYLA, AutoExec, AutoExit, AutoClose, FileClose, ToolsMacro, ToolsCustomize, FileTemplates, ViewVBCode.
It infects the global macros area on opening an infected document (AutoOpen) and infects other documents on opening and closing (AutoOpen, AutoClose).
The virus turns off the Word virus protection (the VirusProtection option) and deletes "NewMacros" module that contains user defined macros. It also disables the Tools/Macro, Tools/Customize menus (stealth). On opening the Visual Basic editor the virus closes Word without saving changes in documents.
On 27th or 29th of any month on closing documents the virus runs its payload procedure. On opening Word at these days the virus displays in the status bar the text:
Excellent dayall for me... :)

The payload procedure is also run on opening document at 27th or 29th second of minute. This procedure replaces all digits by text "Tj" or "Layla" depends on day of month. Also it replaces every 9th character in document by Aries sign.
On exiting Word the virus searches in subdirectories of "c:", "c:program files", "d:" and "e:" for files by wildcard "*d*r*w*.*" (looking for DrWeb anti-virus) and deletes all files in directories where suitable files were found. Then it searches for "*a*v*p*.*" and deletes "*.avc" and "*.key" files (AVP anti-virus databases and key file). As a result of quite scrappy wildcards the virus can delete many other files.
The virus also changes following information:
UserName = ""
UserInitials = "TJ_LAYLA"
UserAddress = ""

Macro.Word97.Leonor

Description Macro.Word97.Leonor

The virus is containing only one module "AutoOpen" and replicates on opening documents. On Monday or Saturday depending on system random counter the virus creates one hundred files with names from "1" till "100" in the C:WINDOWSESCRITORIO directory and writes the text to them:
I love Leonor forever

The virus also contains the comment:
Leonor macro (v1.1) made by uhjov

Home