Virus Database

Worm.Win32.Padobot.gen

Description Worm.Win32.Padobot.gen

Already known variants of Worm.Win32.Padobot and new variants will be detected using this definition.
Generic detection is based on the analysis of code from known variants. Similar functions will be searched for when scanning; this makes it highly likely that new variants of the worm will be detected.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Zmk

Description Macro.Word97.Zmk

This virus contains five macros in one module "ZMK98FAV": AutoOpen, FileSaveAs, FileTemplates, ToolsMacro, ViewVBCode.
It infects the global macros area on opening an infected document and infects documents on saving with a new name. The virus then searches and infects documents in the current directory.
The virus displays the MessageBoxes:
ZMK98FAV
Je suis un nouveau AntiVirus pour Word 97
ZMK98FAV
Vous feriez mieux d'acheter un VRAI ANTIVIRUSall
HAHA !!!!!

Macro.Word97.ZMK.J

Description Macro.Word97.ZMK.J

Analysis by and (c) Paolo Monti
This macro-virus was written in VBA (Visual Basic for Applications) for MS Word 8.0 (Office 97). It contains very dangerous payloads, and it displays message and dialogue boxes concerning the World Cup Soccer Championship France 98. The VBA project of the virus contains one form named Pronostic and a module implementing 8 different macros:
AutoExec: calls the macro Pronostique or WC98Payload (see below).
AutoOpen: infects the global template and displays a messagebox.
FileSaveAs: infects new documents, saving them as templates, and displays a messagebox.
FileTemplates: displays a messagebox.
Pronostique: displays a dialogue box where the user is forced to make a choice, and implements a number of different payloads.
ToolsMacro: displays a messagebox,
ViewVBCode: shows the MS Word Assistant displaying a message,
WC98Payload: modifies the contents of an active document.
The following instructions can be found at the beginning of all macros:
Disable the possibility to interrupt macro execution
Enable the execution of automatic macros
Disable the antivirus protection built in Ms Word
Disable the confirmation for the global template saving, usually asked before exiting from the program.
The automatic macro AutoExec, executed at the startup of MS Word or when a general template is loaded, gets the current system date and time. If the day number is 12 or the seconds of the system clock are at 12, the AutoExec macro calls the macro Pronostique or the macro WC98Payload. The choice between the two macros is applied randomly. Each has a 50% probability to be called from AutoExec macro.
The macro Pronostique displays a dialogue box on the screen (the form Pronostic) by which the user is asked to choose among 9 different teams partecipating in the France 98 Championship. If the user chooses the same team selected randomly by the virus, a messagebox of congratulations is displayed on the screen, then the virus goes into an endless loop showing a message in the status bar. Otherwise, the virus applies a randomly selected payload. With a probability of 40%, the virus appends the following lines to the file C:AUTOEXEC.BAT:
cls
Echo La coupe du monde 98 c'est gÊnial!!!!
Echo y|Format c: /u /v:WorldCup98
Echo o|Format c: /u /v:WorldCup98

27% of the time, the virus tries to delete all files in the directories C:DOS and C:WINDOWSCOMMAND and the files C:MSDOS.SYS and C:IO.SYS.
In the remaining cases, the virus modifies the text of the active document and prints it.
The macro WC98Payload creates in the active document a WordArt object, applies to it a number of rotation effects, and then erases it.
Inside the project of the virus there are some messages in French:
"VIVE LA COUPE DU MONDE 98!!!!"
"Vive le football!!!, Vive la Coupe du Monde 98!!!"


AVP detects/disinfects this virus since weekly update 980706

Home