Virus Database

Ugly family

Description Ugly family

These are very dangerous memory resident polymorphic and stealth multipartite viruses. They infect COM and EXE files as well as the MBR of the hard drive and boot sectors of floppy disks. ("Ugly.6047,6048" fail to infect floppy disks). The viruses are encrypted in files and the MBR, they do not encrypt themselves in boot sector on floppy disks.
While infecting a file the viruses write themselves to the end of the file. While infecting a disk the viruses overwrite its first sector (boot or MBR), the original sector and virus code are saved on the last disk sectors. In case of floppy disk the virus formats an extra track.
When an infected file is executed or the system is loading from infected floppy disk, the virus infects the MBR of the hard drive and return control to the host program/boot sector. While writing data to the hard drive the virus uses direct calls to HD ports.
While loading from infected disk the virus allocates a block of system memory by decreasing the size of memory (the word at address 0000:0413), hooks INT 1Ch, waits for DOS loading process, hooks INT 8, 16h, 17h, 20h, 21h, 25h, 26h, 27h and completes its installation by restoring the size of system memory (the word at 0000:0413). As a result the virus leaves its TSR code in separated block of DOS memory. The virus then infects the files and floppy disks that are accessed. Depending on its counter (INT 8) the virus also searches for COM and EXE files in current directory and infects them.
They check the file names and do not infect the files: COMMAND.COM, GDI.EXE, DOSX.EXE, WIN386.EXE, KRNL286.EXE, KRNL386.EXE, USER.EXE, WSWAP.EXE, CHKDSK.EXE.
Depending on their internal counters and under a debugger the viruses erase the CMOS and the hard drive sectors.
The viruses use a complex algorithm allowing the virus to stay memory resident after cold reboot and loading from a clean DOS floppy disk. On installation the virus stores the CMOS memory that keeps the information about floppy drives and sets that info to zero (i.e. the virus emulates situation when no floppy drives are installed). On accessing to disks the virus temporary restores the CMOS and then erases these fields again. On any (cold or warm) reboot the system checks the CMOS, does not detect the floppy disks and passes the control to the MBR of hard drive. As a result the virus in the MBR receives the control, installs itself into the memory and then passes the control to the floppy disk loader. As a result the virus stays memory resident after loading from a clean write-protected disk.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Vacuity

Description Macro.Word97.Vacuity

This stealth macro-virus contains eight macros in one module "Vacuity": Jj, FileTemplates, FormatStyle, ToolsMacro, ViewVBCode, Organizer, FileClose, DocClose.
The virus infects files and the global macros area on document closing (FileClose, DocClose). It turns off the Word virus protection (the VirusProtection option), disables File/Templates, Format/Style, Tools/Macro, Organizer and Visual Basic Editor (Stealth)
The virus code contains the comment:
Copyright (C) 1998 by FlyShadow ~^^~ - Vacuity

Macro.Word97.Vampire

Description Macro.Word97.Vampire

This virus contains 13 macros in one module: AutoOpen, autoexec, AutoClose, FileTemplates, KZ, pire, ToolsMacro (stealth), Vampire2, VM, VM1, VM2, VM3, VMP.
It replicates itself on opening and closing documents (AutoOpen, AutoClose). When an infected Word97 is starting, the virus, depending on the random counter, scans the C: and D: drives and beeps when each file is found. The virus then displays a dialogue box in Chinese. Depending on the system time, the virus inserts a text in Chinese in the current document.
On entering the Tools/Macro menu, the virus displays the MessageBox:
Microsoft Visual Basic
Out of Memory

Home