Worm.Info Family
Description Worm.Info Family
These are not dangerous memory resident encrypted stealth virus-worms. Being executed they display the messages:
"Worm.Info.2142":
-*- INFOSYSTEM -*-
version 1.04
(C) 1995 by Ziff Co.
Reading System Informationall
Computer type: IBM PC
"Worm.Info.2191":
InfoSystem version1.01
Reading System Information...
Computer type: IBM PC
"Worm.Info.2259":
Reading System Information...
Computer type: IBM PC
then they check the type of computer and display one of the strings:
Original
XT
AT
Convertible
PS/2
Junior
Unknown
Then the virus displays the messages:
Checking HDD controller...
SCSI controller type: Unknown (Error14)
and calls the infection routine. While infecting the computer the virus searches for directories that are listed in PATH string, creates there INFO.COM files, and writes its code into there. Then the virus searches for .BAT files in these directories and writes the commands:
@if not exist info.com goto noinfo
@info>nul
:noinfo
to the beginning of batch files. Being executed such BAT files run the virus.
Then the virus installs itself memory resident into UMB, HMA or conventional memory, hooks INT 1Ch, 21h and then drops its code into current directories on FindFirst (AH=11h,4Eh) calls. On accessing to modified BAT files, and on FindFirst/Next calls the virus calls stealth routine. The virus also checks the name of the programs that are executed, and if the name is CHDDSK, WEB or DRWEB the virus disables its stealth routines.
By hooking INT 1Ch the virus checks INT 1 vector (tracing) and disables tracing the virus code.
On Friday 13th the virus changes the VGA video ports.
The virus also contains the internal text strings:
COMMAND NET?.CHKDSK.WEB.DRWEB.INFO.COM ATH=*.BAT
Check other viruses! Be aware! Use Antiviral Software
Formula.Excel.Paix
Description Formula.Excel.Paix
This virus replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus is of French origin (see routines names below) but is able to infect and replicate under any local Excel version starting from 4.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix all"
It is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
- in Tools/Add-Ins menu there is reference for the XLSHEET file
- infected files contain the text strings:
Enfin la paix ...
!!!GO
Partial protection can be achieved by creating in the C:WINDOWS directory the Read-Only dummy file with the XLSHEET.XLA name. After that the virus will be not able to install its Add-In in the C:WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories.
Formula.Excel.Paix
Description Formula.Excel.Paix
All PC users (or most of them) know about macro viruses that affect Word documents and Excel sheets. All used to know that these viruses write themselves to some "macro modules area", and virus macros are visible by entering Tools/Macro menu (only of course, if it is not disabled by the virus - some "stealth" macro viruses do that. Most anti-virus scanners are able to extract macros from these "macro modules areas", detect and disinfect them. The news are that there are more macros areas in Excel - the viruses that affect Excel sheets are able to spread not only through standard macros area, but also by using a special area - Excel 4 macros area.
Despite the fact that in modern Excel versions (starting from version 5) there are more complex and perfect technologies, the ability to create and use old-style macros (Excel 4 macros) is still supported. Because of these "Excel 4 traces" all macros that were written in Excel 4 format still are able to work in all new versions, despite the fact that Microsoft does not recommend to use them and there is no necessary documentation in Excel package.
Tech
The virus of new type (that's better to say "new type but old format") replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus is of French origin (see routines names below) but is able to infect and replicate under any local Excel version starting from 4.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix all"
Detection and Disinfection
That is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
in Tools/Add-Ins menu there is reference for the XLSHEET file
infected files contain the text strings:
Enfin la paix ...
!!!GO
Today it is also not possible to protect the system. A partial protection can be done by creating in the C:WINDOWS directory a Read-Only dummy file with the name XLSHEET.XLA. After that the virus will be not able to install its Add-In in C:WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories.
"Kaspersky Lab" is working with detection and disinfection routines right now. The detection module for AVP will be available soon.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|