Win95.Markj.983
Description Win95.Markj.983
This is a Windows 95 memory resident parasitic virus. When an infected file is executed, it copies itself to the cave in Windows kernel (VMM data), hooks IFS API and infects PE executable files that are opened. While infecting the virus creates new section named "MarkJ_I" at the end of the file, writes its code to there, and patches PE header with 46-bytes entry routine. When an infected file is executed, this entry routine takes control and passes it to virus main routine.
The virus uses a trick to be executed in Ring0 to be able to intercept IFS API. It patches PE header so that main virus code it loaded into not used block of Windows VMM data at the address C0000000h. Windows95 does not protect this block, so it is possible to write to that area and moreover to load section of PE executable file, and the virus uses this feature of Windows95 security.
This virus infects files with EXE extension only, and does not affect several anti-virus programs and utilities with names finished with letters:
IN32, AN32, NT95, OT95, OL95, XD95, VP32, VW32, PW32, ETUP, TART, ORER, SCAN (SCAN, F-PROT95, AVP32, all SETUP, START, EXPLORER).
The virus does not manifest itself in any way, it contains the text:
Mark J written by Murkry/IkX Mark J (TNN Remix) - VicodinES /TNN /CB
Check other viruses! Be aware! Use Antiviral Software
Macro.Word.Emperor.a
Description Macro.Word.Emperor.a
This is a encrypted Chinese macro-virus that replicates itself only under the Chinese Word version.
This virus contains five macros: AutoOpen, Emperor, VirusMessage, FileTemplates, ToolsMacro (stealth). Upon opening an infected document (AutoOpen), the virus infects all current Word windows (i.e., all files that are edited). Upon entering the Tools/Macro menu, the virus erases all macros in NORMAL.DOT, and summons AutoOpen (infection routine).
Depending on the random counter and the day of week, the virus displays the following in the MessageBoxes (partly in Chinese):
The First Emperor Ver 1.00
The First Emperor Ver 1.00
SSCAN,GSCAN,MacroTrap
Macro.Word.Employ
Description Macro.Word.Employ
This virus contains only one macro "autoopen" and replicates itself on opening documents.
Since July 14th 1997 depending on the system random counter it hides the status bar, scroll bars, install blue bacround or etc. The virus also inserts into documents the text:
Les employ s les plus incomp tents sont syst matiquement promus aux postes
o· ils se r v lent le moins dangereux: l'encadrement.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Test Deg Selv
Procator Ab
Aktiebolaget Franke & SÖner
Klass 1 Bilrekond
Haarentfernung Zwickau
|