Virus Database

Win95.PoshKill.1398

Description Win95.PoshKill.1398

It is a dangerous memory resident encrypted parasitic virus. It stays in Windows memory as system driver (VxD), hooks file access functions (IFS API) and writes itself to the end of PE EXE files that are opened, renamed or file attributes are accessed. The virus does not affect the program's startup address, it writes a JmpVirus routine to the file entry address instead. The virus checks file names and does not infect anti-virus programs and utilities: TBAV, F-PROT, NAV, AVP, WEB, PAV, DRWEB, DSAV, NOD, WINICE, FORMAT, FDISK, SCANDSKW, DEFRAG.
On October 26 the virus runs its video effect: the virus rolls from right to the screen contents in endless loop. The virus does that in system driver level, and as a result it cannot be terminated, and no other application can be selected. The unsaved data can be lost because of that.
The virus contains the text strings:
[I AIDA]
[Win95.PoshKiller v1.00]
(c) 1999 Billy Belcebu/iKX

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Tanggal

Description Macro.Word97.Tanggal

This virus contains two macros:
Documents NORMAL.DOT
AutoOpen Jua
Joea FileSaveAs

It infects the global macros area upon opening an infected file (AutoOpen) and infects documents that are saved with new name (FileSaveAs).
On the 1st of each month, it displays the following MessageBox:
Tanggal satu, baru gajian nih ye, cerah sekali deh senyumnya.

Macro.Word97.Techno

Description Macro.Word97.Techno

It is a stealth macro-virus. It contains twenty procedures in one module "VrTechnoCode": VrInstall, AutoOpen, AutoExec, FileOpen, FileNew, FileNewDefault, FileSaveAs, FileSave, FileClose, DocClose, ViewVBCode, ToolsMacro, FileTemplates, ToolsOptions, VrStealth, IsChance, FilePrint, FilePrintDefault, AddOemInfo, CreateImageScreen.
The virus infects the global macros area on opening an infected document and infects other documents on opening, creating and saving. On closing a document, the virus sets the document protection type to wdAllowOnlyFormFields that denies any changes in the document text except form fields. On opening infected documents, the virus unprotects them, and on closing, protects them again. As a result, after disinfection, documents will stay protected. This protection may be removed manually by choosing the menu Tools/Unprotect, password is "Elite".
The virus turns off the Word virus protection (the VirusProtection option). The virus' stealth routine intercepts and prevents the opening of Visual Basic Editor, Tools/Macro and File/Templates dialogue boxes. With a probability of one in five, this routine displays MS Office Assistent with the message:
VR Òåõíîëîãèÿ v1.0
Word Macro ÂÈÐÓÑ!!!
ÄÂÞÈ ÌÂÄ ÐÔ c 1999

The virus infecting routine, with probability of one in nine, creates, in the "C:WindowsSystem" directory, the "oeminfo.ini" file with the text:
[General]
Manufacturer=ÄÂÞÈ ÌÂÄ ÐÔ
Model=MS Word Âèðóñ
[Support Information]
Line1=Êîìïüþòåð çàðàæåí âèðóñîì: VrTechno V1.1
Line2=
Line3=Word Macro Virus
Line4=John Great, ÄÂÞÈ ÌÂÄ ÐÔ - (C) '1999

With probability five percents the infection procedure inserts into documents a graphic shapes with text:
Microsoft Word Macro Virus
VrTechnoCode
- Word 7.0 Version 1.1
- Stealth Technology
- Infect Documents and Templates
Copyright by John Great from Russia Far East, Khabarovsk'1999

The virus contains another payload routine - on printing the virus with probability 20 percents sends to printer the content of the "Autoexec.bat" file instead of active document.
The virus code contains comment:
'-------------------------------------------------------'
' VR Òåõíîëîãèÿ v1.1 by John Great from Russia (C)'99 '
'-------------------------------------------------------'

Techno.c
This is the next generation of the virus. There are several minor changes in the code. The password for infected documents in this virus version has been changed to "Mirochka".

Home