Virus Database

Walrus.482

Description Walrus.482

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus also intercepts several virus-ID ("Are you here?") INT 21h calls and seems to cancel their spreading.
Depending on the system date and time the virus displays one of the messages:
/* CHRiSTiAN iS A GooN */
/* JiREE HoSAN */

The virus also contains the text strings:
/* May 19th */
/* ANTi-VLAD CoDE */
/* WALRUS */

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Psd

Description Macro.Word97.Psd

This is the first known macro virus infecting Office2000 Word documents. It was discovered in December 1998. The virus uses the same methods of infection as Word/Word97 viruses use. The only difference is that the virus is converted into new Word document format and use few Office2000 specific instructions.
The virus affects the global macro area when an infected document is opened. The virus spreads itself into other documents when they are closed.
The virus disabled Word anti-virus protection by two ways: by using Basic instruction and by writing to corresponding filed in the system registry.
This is the stealth virus. While infecting the system it creates a stealth-macro that disables virus code viewing and exits Word without saving all changes.
The virus also uses polymorphic routine that randomly renames virus variables and subroutines names.
The virus code is places in one module in the Document_Open macro in infected documents. When an infected document is opened, the auto-macro Document_Open is executed by Word, the virus code takes control and installs the virus into the system. During that the virus copies its code to the global macros area with the Document_Close name and create additional stealth-macro ViewVBCode.
The virus checks the system date and time and in case current day number is equal to current minutes, the virus runs its trigger routine: it displays several figures of random size and random color.
The virus code contains the comment:
W97M/PSD by ALT-F11, VAMP Poly by VicodinES
Converted to W2000/PSD by VicodinES

Macro.Word97.Redter

Description Macro.Word97.Redter

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen
AutoClose
FuckThemAll
ToolsMacro
ToolsCustomize
ViewVBCode
Delay
The virus replicates when a document is opened or closed.
AutoOpen, AutoClose:
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
Delay:
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000
Next
FuckThemAll:
Main virus routine. Checks system parameter 'Country' and if this is 'US' , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = True
.BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot) of the 'RedTerrorist' module. Repeated infection will not occur. If the module is not found, the virus creates an export file 'user.vxd' in %windir%\%temp% catalogue and infects the document. After that the virus removes the export file 'user.vxd'
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
ToolsMacro:
Top level process aborted, cannot continue
ToolsCustomize
Configuration too large for memory
ViewVBCode
Error in EXE file, program too big to fit in memory

Home