Virus Database

Win32.Chiton

Description Win32.Chiton
This is a family of dangerous Win32 viruses.
Win32.Chiton.l
When launching, the virus writes itself to vb6eng.dll. in the Windows system directory.
When any application which uses this DLL is launched, the virus will search for and infect Win32 applications (PE files). When infecting files, it writes itself to the end of the file. It does not re-infect already infected files.
The virus does not manifest its presence in the system in any way.
It contains the text string;
OU812 - roy g biv
06/06/01
*4U2NV*
Win32.Chiton.m
This virus searches for and infects PE files.
EXE files are infected by patching the API Process Thread Creation offset. Other PE files will be infected by replacing the code at entry point with the virus code. This virus does not re-infect already infected files.
The virus includes antidebugging techniques.
The virus does not manifest its presence in the system in any way.
The virus code contains errors.
It contains the text string:
Shrug - roy g biv
01/01/01

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Hyper.a

Description Macro.Word.Hyper.a

This is an encrypted macro virus. It contains nine macros: AutoExec, AutoOpen, FileOpen, FileSave, FileSaveAs, FileTemplates, ToolsMacro, EditAutoText, hyper (in documents) and M<random digit> (in NORMAL.DOT).
The virus infects the global macros area on opening (AutoOpen) or closing (FileClose) an infected document. It infects the documents that are saved (FileSave) or saved with new name (FileSaveAs).
While infecting NORMAL.DOT it creates the hyper-text file BLANK.HTM containing "running text" (Internet Explorer):
Your system has been infected with the WM.Hyper virus.
It looks like you are gonna have to take some remedial action all
(c) Hyperlock, March 1997

The virus creates the NOSTRAD.INI file and writes the text to there:
[virus]
hyper_counter=<¡«¼Ñ »« «½Ñ¡¿ >
author=Hyperlock

If the generation of virus is less than 5 or divisible by 10, the virus deletes the Dr.Solomon anti-virus file's C:TOOLKITFINDVIRU.*
This is a stealth-virus - it hooks File/Templates and Tools/Macro, on entering these menus the virus displays the MessageBox:
Microsoft Word
Not enough memory to perform this operation

Macro.Word.Ice

Description Macro.Word.Ice

This encrypted macro virus contains 5 macros: Plong, AutoOpen, FileSaveAs, ToolsMacro, FileTemplates. It writes itself to the global macros area on opening an infected document (AutoOpen). It infects other documents on their saving with new name (FileSaveAs).
In the WIN.INI file the virus runs a counter of infected documents:
[Yesman]
LastActive={count}

When this counter reaches 24, the virus displays to the StatusBar the message:
Lontong Micro Device (c) 1993 By ICE-Man

On entering menu Tools/Macro the virus displays the message:
ICE - Man '93
This virus dedicated to all my best friend :
~ Edong, Rosamya, Boeyoenk, Ludho, Bstyle ~
Be Cool Guys and keep your life on the line all
2 some one I love very much, why U disapoint me
I hope this not happend again 2 some one that U love

Home