Virus Database

Win95.Bonk family

Description Win95.Bonk family

These are dangerous memory resident parasitic Windows95/98 viruses. They install themselves into the Windows memory and write themselves to the PE EXE files that are opened. The viruses have a bug and replicate only under specific environment, otherwise they halt the system. The viruses contain the text string:
[BONK32] by Vecna/29A

They also write the "BONK" ID-text to the file PE header (to the CheckSum field). To prevent duplicate infection the viruses test the file header for this text before infecting it.
The viruses use several tricks while installing memory resident and while infecting files. The viruses allocate the memory and install themselves into the VxD area (Ring0) by using the method similar to the "Win95.CIH" . Being run in the Ring0 the viruses hook IFS API calls, intercept file opening, compare file extension with EXE and calls infection routine.
While infecting a file the viruses use two different ways to patch the program's entry address: they either modify the entry address field in the PE header, or patch the original entry routine with JMP_Virus instruction. The second way is selected only in case there are no relocated address at program's entry.
The viruses write their code to two parts in the file. The first part of virus code (entry routine - about 200 bytes) is saved to the file header, the main part of virus code is written to the end of the file. This second part is written as the "overlay": the viruses do not modify the PE header to attach this code to the infected file's code and force Windows to load this code when an infected file is executed. To access this second part the virus entry routine opens the host file, seeks to the file end and reads the main virus code from there.
To make file disinfection more complex, the viruses encrypt a part of host file (100h bytes at file entry) and do not store the encryption key. To restore the original host data before return control to the host program the viruses calculate the CRC of host block and store it. To decrypt host data the viruses try all possible keys, decrypt, calculates the CRC and checks it. If the CRC meets the original one, the viruses return to the host entry routine.

Check other viruses! Be aware! Use Antiviral Software

Macro.Office97.Jerk family

Description Macro.Office97.Jerk family

These are multi-platform macro-viruses infecting Office97 components: Word documents and Excel workbooks and sheets. The viruses contain two auto-macros in Excel sheets and Word documents: Document_Close in Word documents, and Workbook_Deactivate in case of Excel workbook or Worksheet_Deactivate in case of Excel sheet.
The viruses replicate themselves in Excel upon deactivating workbooks. In Word, the viruses replicate upon document closing. Upon spreading, the viruses infect not only "native" objects, but also export their code to another Office component if it is installed in the system.
The viruses turn off the VirusProtection MS Office option.
Each month from June to December on the 14th ,the "Jerk.a" virus displays the message:
Class.Poppy
I think is a big stupid jerk!

On the same date "Jerk.b" and "Jerk.d" display an encrypted variant of the same message:
www.all.net
V guvax vf n ovt fghcvq wrex!

Macro.Office97.Toraja

Description Macro.Office97.Toraja

This macro-virus infects two MS Office applications: Word documents and Excel Office 97 datasheets. For document compatibility, Office 97 uses Visual Basic Script, which is contained in both Word and Excel files.
Upon opening, the virus infects the system, documents and sheets (AutoOpen macros in Word and Auto_Open in Excel). Upon infection, the virus utilizes the Office 97 functions for importing/exporting (reading/writing) the virus code via the text file, copies its exit code to the text, and then imports it to the infected object.
Upon exiting Word (Auto Exit), Excel is attempted to be infected. The virus performs a DDE-exchange: it starts up Excel with a minimized window and transfers all the information and commands necessary for creating the AutoRecover17.XLS infected file in the Excel start-up directory here. Word infection resulting from Excel occurs in a similar way upon opening a datasheet (Auto_Open). The virus starts up Word with a minimized window, opens Visual Basic Editor, and obtains the virus code from the AutoRevolver17.dat file.
The virus contains the following copyright string:
Created : Toraja High Land 1998 by Marsel - Lina
Modified : July 1999

Home