Virus Database

Trojan.Win32.FireAnvil

Description Trojan.Win32.FireAnvil

This is a trojan program that is built into the "Firehand Ember Millenium" commercial software (produced by the Firehand Technologies Corporation, http://www.firehand.com).
The trojan was found in version "5.2.3.0" of this software, in beginning of September 2002. The trojan was found in original "Firehand Ember" package, and it was available for download at Firehand Web site: http://www.firehand.com/Ember/index.html.
Next week after the trojan was found, the trojan package was removed from download area and replaced with another "5.2.3.0" version where trojan components were removed.
The trojan components were found in two files in this package:
Ember32.exe - the main executable file
fireutil.dll - program's library

On activating the trojan displays the message:
CrAcKiNg SoFtWaRe! PlEaSe WaIt!


Then it looks for all files on the drive where Windows is installed, and overwrites files with the text:
CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!

The trojan is activated on entering registation data:
Registered User ID: [_________]
Registration Key: [_________]


in case the "Registered User ID" field contains the "czy czy" string (any cased).

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Osm

Description Macro.Word97.Osm

This is a stealth companion macro virus. It contains two modules "NewMacros" and "dlgMyMacs". It does not infect the global macros area and documents in ordinary way. On document saving the virus copies infected template to the document's folder and attaches this template to the document. Next time this document is being opened, the infected template will be automatically loaded by MS Word.
On first run on the computer the virus also creates in MS Word startup folder the infected template Startup.dot. This template is automatically activated when MS Word starts.
Also only on first run the virus drops on the A: drive, and executes a Windows executable file that contains the "Back Orifice Trojan" which is additionally infected with "Win95.Marburg" virus. If there is no disk in drive A: MS Word can trap on incorrect operation.
The virus replaces standard ToolsMacros dialog box by its own empty one (stealth).

Macro.Word97.Ozwer

Description Macro.Word97.Ozwer

This is a stealth macro virus. It infects global macros area (NORMAL.DOT template) on opening an infected document and hooks many events: documents open, close, save, print, paste and copy commands, etc. Other documents get infection on any of hooked actions. While infecting a document the virus changes MS Word window caption to "ø Microsoft Word".
To hide itself the virus disables menus:
Tools/Macro
Tools/Templates and Add-ins..
Tools/Customizeall
Tools/Options...
View/Toolbars

It also displays own ToolMacro dialog box where are no any macro listed. On try to open Visual Basic Editor the virus displays one of two messages (depending on MS Word localisation):
Error interno en Word Basic Err=1100e.
Imposible cargar bibliotecas din¡micas.
Compruebe que todos los archivos estŠn
en sus carpetas.
Si el problema persiste, consulte la guia
del usuario.
Word Basic internal error Err=1100e
Unable to load module 1x6004.
Check that all files are in their folders
and that they are not damaged.
If the problem persists, consult user's guide.

Every twenty minutes the virus checks words count in current document and if it is in ranges 350-400, 700-750, 900-950, 1000-1050, 1150-1200, 1300-1350 or 1500-1600 then in one case of four the virus mixes words in the document.

Home