Virus Database

Win.Twitch

Description Win.Twitch

It is a harmless(?) nonmemory resident companion virus. It searches for NewEXE files, renames them with OVL extension and replases original files with the virus code. The virus contains the partly encrypted strings:
BOOT SHELL SYSTEM.INI PATH TEMP OVL CHKLIST.CPS *.EXE
NETWARE FILEMAN SCRNSAVE WINPRINT WINDOWS
DeviceSelectedTimeout
LOAD .EXE SYSTEM SYSEDIT.EXE NWPOPUP.EXE

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.OutLaw

Description Macro.Word.OutLaw

These are semi-polymorphic macro viruses - while infecting a file they copy their three macros with random selected names, so there are no fixed set for macros' names in infected files and NORMAL.DOT.
To realize this semi-polymorphism the virus uses system random counter and timer - while selecting new name for macro the virus sets the first letter in name depending on current hour: 1 - 'A', 2 - 'B', 3 - 'C' and so on, and then appends four random selected digits. As a result random selected names look like: O8493, O7920, O9259, or M8064, M8908, M8151.
Other version of this virus may use other schemes to build the names, "Outlaw.Goodbye" also starts the macro names according to current hour, but uses other set of letters: 1 - 'AZ', 2 - 'BY', 3 - 'CX', and so on.
There are no auto-macros in virus, and to get control the virus assigns its macros with keystrokes: SPACE key - macros that infects global macros area, 'E' key - macros that infects current document.
To get the name of current macro while copying it and to run its payload macro the virus uses two ways. To get its names from a document the virus creates three variables in document: VirNameDoc, VirName, VirNamePayload, and saves there current names while infecting. In case of need the virus gets these names from there.
To get the names in case of NORMAL.DOT (global macros area) the virus creates three records containing current names in System Profile (WIN.INI file) in [Intl] section, these strings are:
[Intl]
Name=
Name2=
Name3=

On January 20 original "Outlaw" virus runs its trigger routine. Under Windows95 and depending on several other conditions the virus plays a sound - it drops LAUGH.WAV file and plays it (this file contains recorded laugh). The virus also inserts in current document the strings:
You are infected with
Outlaw
A virus from Nightmare Joker

There is an encrypted variant of original "Outlaw" - the "Outlaw.b" virus.
"Outlaw.Black" contains two macros with 8-letters random names (for example - DIJRCJCY, DOFYBPIT). This virus displays the message box:
BlackKnight

"Outlaw.Goodbye" is encrypted, plus to three random-named macros it contains two "stealth" macros - ToolsMacro and ExtrasMakro. While selecting Tools/Macro menu the virus shows "dummy" menus and displays error messages in the same way the Magnum virus does.
On October 10 this virus drops and runs "VLAD.Goodbye" DOS virus, creates new template and writes the text to there:
You are infected with the MooNRaiDer Virus!
Greetings to all members of Vlad!
I hope that's not the end!
The scene would be to boring without this very good group!
Nightmare Joker

This virus then creates SystemProfile section (WIN.INI file):
[Vlad]
Goodbye=Yes

Macro.Word.Outlaw

Description Macro.Word.Outlaw

text (c) Michal A. Egler
This is an encrypted macro virus. It contains the following macros: SH7397, SH7607, SH9213, AutoOpen, ToolsMacro, ExtrasMakro. This macro virus drops the DOS parasitic "Goodbye.860" virus.

Home