Virus Database

Win32.Hatred.a

Description Win32.Hatred.a

These are dangerous non-memory resident parasitic polymorphic Windows viruses about 10Kb in length, infecting Win32 PE EXE files. While infecting, they increase the size of last file section, encrypt and write themselves there, then modify the necessary fields in the PE file header.
The viruses have bugs, and often corrupt files while infecting them; most files are corrupted, and in most of cases, the virus replicates only from its "first generation" (dropper file). Despite known virus versions being "intended" to start from the second generation, this bug may be fixed in future virus variants.
When the virus runs an infection procedure, it first of searches for CDPLAYER.EXE, CALC.EXE, PBRUSH.EXE, MPLAYER.EXE, NOTEPAD.EXE, and WINHLP32.EXE files in the Windows directory, and infects them. The virus then scans all directories on all drives to locate and infect PE EXE files.
While infecting, the virus processes just one drive on one run, and continues infection of the next drive on the next infected file run. To do this, it collects disk info, encrypts and stores it in the system registry in the key:
HKEY_CURRENT_USERControl PanelCursors: dertaH = [disks info]

Upon the next start-up, the virus reads this info, and continues the infection process starting from the drive where the infection was interrupted last time.
The virus checks the file names, and does not infect several anti-virus programs: F-*, AW*, AV*, NAV*, PAV*, RAV*, NVC*, FPR*, DSS*, IBM*, INOC*, ANTI*, SCN*, VSAF*, VSWP*, PANDA*, DRWEB*, FSAV* (F-PROT, AVG, AVP, etc.)
The virus also deletes several anti-virus data files:
AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS,
SMARTCHK.CPS

On the 7th of any month, "Hatred.a" displays a message, and then covers the screen with black dots. The message appears as follows:
Win32.Hatred by Lord Julus (c) 1999
Today is the 7th !! Today is the day of hate !!
With Heart feel Hatred ! Black blood runs thru my veins !
Hatred !!!! Hatred !!!!
(escape is your escape)

The "Hatred.a" virus contains the text:
Win32.Hatred V.1.0
(C) 1999 by Lord Julus / [SLAM]

The polymorphic engine that is used by this virus contains the text strings:
Multiple Opcode Fantasies 32Bit V.2.5 by Lord Julus - 1999
JGM - Junk Generator Module V.1.0 by Lord Julus - March 1999

Hatred.b
This virus version is very closed to original one. The differences are: the registry key name is "YKCUL" ("LUCKY" written backwards); the "copyright" text is:
LUCKY B.R.D 1994-99

The payload routine is activated on the 3rd of any month; the message is displayed as follows:
Win95/98/Nt This is The Comtech Vir by LUCKY B.R.D 1994-99
Comtech product are badall..

Check other viruses! Be aware! Use Antiviral Software

Macro.Visio.Unstable

Description Macro.Visio.Unstable

This is the second macro-virus that also has pretensions to be The Number One in the "Macro.Visio" family. This virus is more complex than Macro.Visio.Radiant - it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes "Visio2k.Unstable" into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor's menus and "Standard" toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor's main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it's hard to be the one who's strong
Who's always got a shoulder to cry on
Who's got a shoulder for me?

The virus contains three procedures in module "ThisDocument" - "Document_DocumentOpened()", "Unstable()" and "ci()". Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.

Macro.Word.Agent

Description Macro.Word.Agent

This is a polymorphic and stealth Word macro virus. It contains one macro "AutoOpen" and replicates on opening documents . The virus deletes the following menu items:
Tools/Macro, Tools/Customize, File/Templates, Format/Style.

The mutation (polymorphic) engine, depending on the random counter, inserts random comments into random positions into the virus code and renames some virus variables with random selected name. This engine is "slow" because it is executed only if, on infection, the current seconds are 23 or 45 only. As a result, in 97% of cases the polymorphic engine will not be executed and the "child" infector will have the same code as "parent" one.
Depending on the random counter the virus sends a copy of current document to Internet news-groups, so to spread itself the virus uses global networks. It also can be a reason of confident information disclosing, if it is a part of document that is sent to Internet.
To post documents to Internet the virus executed the news client AGENT.EXE, selects one of the news-groups (see the list below) and sends a message to there. The message has one of several possible Subjects (see the list below), the text "WM/Agent by Lord Natas" continued with random selected characters and attached infected document.
The list of news-groups looks like follows:
alt.aol-sucks alt.sex.zoophilia
alt.binaries.cracks alt.windows95
alt.binaries.pictures.erotica alt.sex.passwords
alt.binaries.warez.ibm-pc alt.binaries.warez
alt.conspiracy alt.binaries.sounds.mp3
alt.drugs.pot alt.comp.virus
alt.fan.hanson alt.2600
alt.flame alt.2600.hackerz
alt.hacker alt.skinheads
alt.sex alt.sex.babies
alt.sex.necrophilia alt.sex.bondage
alt.sex.stories

Subjects are:
Free XXX Passwords New Virus Alert!
Check this out! Serial Number List!
Official WaReZ site list Official mp3 site list
Easy Money! Elite XXX site list
My first fuck by Todd New erotic story
Hanson rulez! Important Princess Diana Info
Warez mailing list details Important Monica Lewinsky Info
Crackz mailing list details How to find child pornography
Learn to hack! Cable TV descrambler instructions!
Attn: All k3wl h4ck3rz Kewl N64 Emulator & MP3 sites
Important Info

Home