Virus Database

Win95.Murkry.399

Description Win95.Murkry.399

This is a benign non-memory resident parasitic virus infecting Win95 EXE files (PE). When an infected files is executed, the virus searches for all PE-EXE files in the current directory and infects them. While infecting a file the virus writes itself to the not used space in PE header. Because this virus is extremely short (less than 400 bytes), it can find files with such cave in their headers.
The virus have no trigger routines. It contains the text strings:
Murkry
While infecting, this virus uses direct calls to Win95 KERNEL32 and may cause system error messages: under several Win95 releases it accesses KERNEL32 by using wrong addresses.

Check other viruses! Be aware! Use Antiviral Software

Macro.Visio.Radiant

Description Macro.Visio.Radiant

This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see http://www.visio.com). To automate data processing, Visio uses macro-programs written in VBA language (Visual Basic for Applications) - the same that is used in MS Office applications. As a result, the viruses in Visio are very similar to MS Office viruses, and they are able to infect Visio files in a very similar ways.
The virus itself is rather simple. It contains one procedure that is assigned with the "BeforeDocumentClose" event (it is activated upon document closing). When the virus procedure gains control, it enumerates and infects all opened documents. Because of the internal structure of Visio, the virus, while searching for documents, enumerates not only document files, but also stencils and templates as well.
The Visio stencils are similar to, for example, Word templates. These files contain library data for common use while creating and editing Visio documents. These stencils are automatically opened and processed by Visio in case of need (if a document uses them). In case these stencils are infected, the virus is loaded when a document accesses an infected stencil, and is activated upon this stencil's closing. At this moment, the virus infects all Visio files that are opened. As a result, if Visio stencils are infected, every document that is created or edited will be infect upon closing.
Because of this Visio feature, the virus can spread very quickly through Visio files.
The virus has a payload procedure: upon every launch, it creates the INDEX.HTML file in the root directory of the C: drive. This file contains following message:
A Multitude of Suns
Orbit in Empty Space
They Speak with their light
to all that is dark.
To me they remain silent.

Greets to all the VX Community
And Radiant Angels

itsall...

Radiant

At the very end of the virus macro-code there is a short line of symbols (a comment). It seems this line is encrypted information about the virus author, but the type of cipher and the key used for encryption of the text string are unknown.

Macro.Visio.Unstable

Description Macro.Visio.Unstable

This is the second macro-virus that also has pretensions to be The Number One in the "Macro.Visio" family. This virus is more complex than Macro.Visio.Radiant - it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes "Visio2k.Unstable" into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor's menus and "Standard" toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor's main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it's hard to be the one who's strong
Who's always got a shoulder to cry on
Who's got a shoulder for me?

The virus contains three procedures in module "ThisDocument" - "Document_DocumentOpened()", "Unstable()" and "ci()". Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.

Home