Virus Database

Urphin.1621

Description Urphin.1621

It is not a dangerous memory resident parasitic virus. It hooks INT 21h, 28h and writes itself to the end of COM and EXE files. It infects EXE files that are executed. COM files get infection only on FindNext ASCII DOS call and only on a floppy drive. The virus does not infect the files: *AI?.*, *WEB?.*, *ES?.*, *RA?.*.
When the TPC.EXE file is executed (TurboPascal compiler), the virus also intercepts .PAS files opening (Pascal source files), searches for "BEGIN" line in these files (subroutine header) and writes to there its hexadecimal dump with necessary Pascal instructions. When .PAS files are closed, the virus removes its hex-dump from Pascal source files. As a result, when source Pascal files are being compiled, the virus inserts its code into these files, and the result executable files become the virus droppers.
The virus contains the text strings:
BEGINbegin
URPHIN
ASM
END;

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Nomej

Description Macro.Word.Nomej

The virus code contains six macros: Action, AutoExec, AutoOpen, InNormal, UtilMacro, ArquivoSalvarComo. The virus spreads on opening documents or saving them with new name. This version of virus does not manifest itself in any way. It contains the text:
By Creby & Criby

Macro.Word.Nomvir

Description Macro.Word.Nomvir

This is a very dangerous virus. It contains ten macros: AutoExec, AutoNew, AutoOpen, DateiSpeichern, DateiSpeichernUnter, DateiBeenden, ExtrasOptionen, DateiDokvorlagen, FuckIt, and DateiDrucken.
Upon AutoNew and AutoExec, it infects the global macros area. Upon DateiSpeichern and DateiSpeichernUnter (FileSave, FileSaveAs), it infects a document.
The virus looks for the "Nomvir=" parameter in the "Compatibility" section (WIN.INI file), and does not perform any action if there is "Nomvir=0x0690690". The virus also creates a counter "iCount" in the "intl" section, and increases it when any document is printed. Depending on the counter, the virus deletes the C:AUTOEXEC.BAT and C:CONFIG.SYS files. Depending on the system date, the virus replaces some words in documents with "hell" or appends to the end of the document the following text:
Fuck Microsoft & Bill Gates

On January 1st, December 25th, on the 23rd of any month, and on Saturday 13th, it deletes the following files:
C:WINDOWSUSER.DA0
C:WINDOWSSYSTEM.DA0
C:WINDOWSUSER.DAT
C:WINDOWSSYSTEM.DAT

Depending on the system time, the virus sets randomly selected passwords for documents. Upon accessing Tools/Macro and the DateiDokvorlagen menu, the virus displays the MessageBoxes:
Nicht genügend Arbeitsspeicher !
Interner Fehler !

Home