Virus Database

Win16.Klon.11776

Description Win16.Klon.11776

It is not a dangerous nonmemory resident parasitic Win16 virus.
The virus itself is Win16 executable file (NE EXE file) about 11-13Kb of length (depending on virus version). The virus is written in Turbo Pascal for Windows.
When the virus runs it looks for Win16 and Win32 EXE files (NE and PE) on available drives and infects them. While infecting the virus moves victim file body down, and writes its own code to the file beginning. To return control to host program the virus "disinfects" host file to temporary ".DLL" file and spawns it.
While processing the virus may also create its "droppers" (pure virus EXE code) in Windows system directory, the file names depend on virus version:
SYSTEM0.EXE, SYSTEM1.EXE, SYSTEM9.EXE ANTIA.EXE, ANTIB.EXE
Some of virus versions also register these files in WIN.INI file in auto-run section:
[windows]
run=
Depending on its "generation" and other conditions the viruses displays the message boxes:
klon!
Najemnik Virus Version 3.0
AntiAnti
One of virus versions looks for active anti-virus programs by searching for following strings:
viru
mks_
avp
antiviral
then moves this application window out of desktop and tries to terminate this application.
The viruses contains the text string:
"Klon.11776":
Idea:SaddamHusseinDiskValidator Amiga!
"Klon.12800,13056": AntiAntiVirus AAV AntiAntiVirus AAV

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.ThisDocument

Description Macro.Word97.ThisDocument

This virus contains six macros in one module "ThisDocument": AutoExec, AutoOpen, FileSaveAs, FileTemplates, ToolsMacro, ViewVBCode.
The virus infects the global macros area on opening an infected document, and while infecting, the virus also exports its code to the C:THISDOC.LOG file and displays the MessageBox:
Virus ThisDoc
Attention, ThisDocument est infectÊall

The virus infects documents on saving them with a new name, and it also displays the following MessageBox while infecting:
Virus ThisDoc
Je suis une Nouvelle GÊnÊration de Virus de Macro...

On entering the Tools/Macro menu, the virus displays the MessageBox:
Microsoft Word
Erreur SystÉme
Veuillez rÊessayer plus tard

On calling the ViewVBCode macro, it displays the MessageBox:
Microsoft Word
Ce programme a rÊalisÊ une opÊration illÊgale et va Ëtre interrompu.

On the 15th and any month, it displays the MessageBox:
Virus ThisDoc
ZeMacroKiller98 est heureux de vous prÊsenter sa nouvelle crÊation...

If the day number is equal to the hour, the virus displays the MessageBox:
Virus ThisDoc
Vos donnÊes vont Ëtre dÊtruites...

and erases the files:
C:Windows*.INI
C:Windows*.COM

Macro.Word97.Thus.aa

Description Macro.Word97.Thus.aa

This macro-virus contains three procedures: "Document_Open", "Document_Close" and "Document_New". It infects the macro area upon the opening of an infected document globally. The infecting routine checks and infects all opened, closed and created documents.
On December 13, the virus deletes all files on drive C:, including subfolders.
The virus body contains the following comment:
Thus_001
Macro.Word97.Thus.aa
This virus modification has another payload routine. After infection, the virus randomly chooses one file on a local disk and copies infected documents with the same name as the choosen file except the extension ".DOC", and awaits someone opening the infected document instead of the original file. If the file choosen by the virus has the extension ".DOC", the virus overwrites it with an infected document.
Being activated (upon document opening, closing or creating), the virus randomly chooses one file on the local disk and encrypts the first 32 kilobytes of data in the file. As a result, a user's data and program files are corrupted. Because the encryption algorithm is reversible, all data can be restored except for one byte at the end of an encrypted block, which is overwritten by the virus. The program for restoring encrypted files can be obtained by special request to AVP support.
The virus uses tricks to hide itself in a system. Upon clicking on the menu "Tools/Macro" or summoning the Visual Basic Editor, the virus displays the message:
File VBADLG.DLL not found
On "Tools/Templates and Add-insall" the virus displays the message:
Global template not loaded

Home