Virus Database

XIV.2248

Description XIV.2248

It is dangerous memory resident parasitic virus. It hooks INT 21h, 2Fh and writes itself to the end of EXE files that are executed, opened or renamed. IT overwrites the MBR of the hard drive with the program that sometimes displays the strings (see also boot virus XIV):
XIV L.O. Wroclaw
Najlepszy polski program antywirusowyMkS_Vir kupisz w firmie:
APEXIM Sp. z o.o.
ul. Zielna 39
00-108 Warszawa
tel. 24-25-79
Hi to friends from the 6th IOI, CEIC & Cluj. M.S. Pol.
XIV

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Trojan.Tvangeste

Description Macro.Word97.Trojan.Tvangeste

This is a Trojan horse written as a MS Word97 macro-program. When it is activated, it appends to the end of a AUTOEXEC.BAT file a set of commands that delete all data on the C:,D:,E: drives. It then displays the following messages:
World War starting now!
Tvangeste v 1.0
3rd World War

It then goes into an endless loop displaying the following message:
3rd World War

Macro.Word97.Trojan.Tvangeste.b
This macro-Trojan saves the copy of an infected document with the name "C:Program FilesMicrosoft Office?"--ëkafeln.dot" and appends to the end of AUTOEXEC.BAT file the commands:
cd C:Program FilesMicrosoft Office?"--ëdel normal.dot
ren kafeln.dot normal.dot

In this way, this Trojan tries to replace a normal template with an infected one, but it works only in case the Russian version of MS Word is installed, and the templates directory is "C:Program FilesMicrosoft Office?"--ë".
The Trojan also appends to the AUTOEXEC.BAT file the commands:
md c:atp_tour
md c:atp_tourkafelnik.001
md c:atp_toursampras.002
md c:atp_tourcorretja.003
md c:atp_tour after.004
md c:atp_tourmoya.006
md c:atp_tourhenman.007
md c:atp_tour ios.008
md c:atp_tourphilipou.009
md c:atp_tourkucera.010
md c:atp_tourkrajicek.005
subst k: c:atp_tour >nul

Then it displays messages in Russian and:
Tvangeste v 2.0
Kafelnikov

Macro.Word97.Trud

Description Macro.Word97.Trud

This virus contains one procedure "Document_Close" in one module. It replicates upon document closing. While infecting, the virus turns off the Word anti-virus protection (the VirusProtection option).
This virus has a generation counter, and runs its payload routine when the generation counter exceeds 69. This routine is activated upon document closing, and displays an assistant balloon with the following message:
Isn't life just a bitch
Choose an option.

with three buttons:
Loose all your data.
Loose most of your data.
Loose just enough data to really fuck you off

After choosing any of them, the virus inserts to the beginning of the document the following text:
Don't Worry About a Thing !!! I wouldn't fuck up your data !!!

This text is formatted with in green with a font size of 24.
Trud.b
This virus has stealth functions: it disables the "Tools/Macro" menu and viewing Visual Basic code. It also has an expanded payload routine. Before displaying the assistance balloon, it inserts into a document 36 shapes, "smiley face", of different colors.

Home