Virus Database

Win95.Yurn

Description Win95.Yurn

This virus infects Windows95 PE EXE files (Portable Executable) and KERNEL32.DLL system file. While infecting the virus writes itself to the end of the file: increases the size of last PE section, writes itself to there and modifies the file PE header. To take control while execution the virus modifies the program EntryPoint address. While infecting KERNEL32.DLL the virus uses more complex way: it looks for GetFileAttributesA public routine and patches it with CALL_Virus instruction. As a result the entry point address in case of KERNEL32.DLL stays the same, but the virus takes control when applications access file attributes.
When an infected PE EXE file is executed, the virus scans Windows95 kernel and searches for eleven routines:
GetTickCount, GetWindowsDirectory, SetFileAttributes, CreateFileA,
SetFilePointer, ReadFile, WriteFile, FindClose, GetSystemDirectoryA,
GetFileAttributesA, CopyFileA

The virus then uses addresses of these routines while searching for files and infecting them. To call these routines the virus does direct calls to Windows95 kernel.
The virus then locates the KERNEL32.DLL file in the SYSTEM directory, copies it to the WINDOWS directory (usually this directory is patent for SYSTEM subdirectory) and infects newly created file. The virus then returns control to the host program.
When infected KERNEL32.DLL is loaded the virus stays in Windows95 memory as a part of kernel and hooks GetFileAttributesA calls. When PE EXE files are accessed with that call, the virus infects them.
The virus has bugs and may corrupt files and halts the system while infecting. The virus contains the text string:
* [YURN] by Virogen *
KERNEL32.DLL

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Sveta

Description Macro.Word.Sveta

This virus contains two macros: AutoOpen, Sveta. It replicates on opening infected documents (AutoOpen): it searches for documents in FileList (recently used files list) and infects them. So the virus is "nonmemory resident" - it is active only when infected document is being opened, and AutoOpen macro takes control. When it releases control, the virus does not intercept any events and does not infect files (if, of course, NORMAL.DOT or some another auto-loaded template is not listed in FileList).
On activating at 13 seconds (i.e. on opening an infected document) the virus displays to the StatusBar the message:
----------======> SVETA by Kid Chaos [SLAM] <=======----------

Macro.Word.Switcher

Description Macro.Word.Switcher

This is an encrypted stealth Word macro virus. It contains ten macros: AutoExec, AutoOpen, AutoClose, FileClose, FileOpen, FileSave, FileSaveAs, FilePrint, FileTemplates, ToolsMacro.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document, saving it, saving with new name, closing, printing and entering Tools/Macro menu. Documents get infection when they are saved, saved with new name or closed. The infection routine is placed in FileClose macro, other macros call that macro to run infection.
On closing a document if the seconds are less than 10, the virus replaces one random digit in current document. On entering Tools/Macro and File/Templates menus the virus displays the MessageBox:
Configuration conflict - menu item is not available.

Home