Virus Database

Win32.Parite.a

Description Win32.Parite.a

The virus consists of a dropper, which is witten in assembler, and the virus part itself, written in Borland C++.
When an infected file is launched, the control flow is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure.
The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.
The virus doesn't manifest itselfs presence in any way.
The structure of infected file looks like this:
Host file
Virus
dropper - drops "main" to TEMP dir and executes it.
main - searches for files and infects them, e.t.c.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.ThisDocument

Description Macro.Word97.ThisDocument

This virus contains six macros in one module "ThisDocument": AutoExec, AutoOpen, FileSaveAs, FileTemplates, ToolsMacro, ViewVBCode.
The virus infects the global macros area on opening an infected document, and while infecting, the virus also exports its code to the C:THISDOC.LOG file and displays the MessageBox:
Virus ThisDoc
Attention, ThisDocument est infectÊall

The virus infects documents on saving them with a new name, and it also displays the following MessageBox while infecting:
Virus ThisDoc
Je suis une Nouvelle GÊnÊration de Virus de Macro...

On entering the Tools/Macro menu, the virus displays the MessageBox:
Microsoft Word
Erreur SystÉme
Veuillez rÊessayer plus tard

On calling the ViewVBCode macro, it displays the MessageBox:
Microsoft Word
Ce programme a rÊalisÊ une opÊration illÊgale et va Ëtre interrompu.

On the 15th and any month, it displays the MessageBox:
Virus ThisDoc
ZeMacroKiller98 est heureux de vous prÊsenter sa nouvelle crÊation...

If the day number is equal to the hour, the virus displays the MessageBox:
Virus ThisDoc
Vos donnÊes vont Ëtre dÊtruites...

and erases the files:
C:Windows*.INI
C:Windows*.COM

Macro.Word97.Thus.aa

Description Macro.Word97.Thus.aa

This macro-virus contains three procedures: "Document_Open", "Document_Close" and "Document_New". It infects the macro area upon the opening of an infected document globally. The infecting routine checks and infects all opened, closed and created documents.
On December 13, the virus deletes all files on drive C:, including subfolders.
The virus body contains the following comment:
Thus_001
Macro.Word97.Thus.aa
This virus modification has another payload routine. After infection, the virus randomly chooses one file on a local disk and copies infected documents with the same name as the choosen file except the extension ".DOC", and awaits someone opening the infected document instead of the original file. If the file choosen by the virus has the extension ".DOC", the virus overwrites it with an infected document.
Being activated (upon document opening, closing or creating), the virus randomly chooses one file on the local disk and encrypts the first 32 kilobytes of data in the file. As a result, a user's data and program files are corrupted. Because the encryption algorithm is reversible, all data can be restored except for one byte at the end of an encrypted block, which is overwritten by the virus. The program for restoring encrypted files can be obtained by special request to AVP support.
The virus uses tricks to hide itself in a system. Upon clicking on the menu "Tools/Macro" or summoning the Visual Basic Editor, the virus displays the message:
File VBADLG.DLL not found
On "Tools/Templates and Add-insall" the virus displays the message:
Global template not loaded

Home