Virus Database

XPEH Family

Description XPEH Family

These are very dangerous (except for the harmless "XPEH.3600") memory resident parasitic viruses. They trace INT 21h, hook INT 1Ch and 21h, and then write themselves to the end of COM, EXE, OVL files that are loaded into the memory or accessed by DOS functions FindFirst/Next ASCII.
The viruses are encrypted by a quite complex algorithm. They also use an error-correcting code (see Yankee viruses). The viruses "XPEH.3872 and 4048" write the texts "XPEH" to the address 0000:0004 (INT 1) and "????" to 0000:000C (INT 3). Since September 1991 (for "XPEH.3872"), or since December 1991 (for "XPEH.4048"), the viruses have encrypted .BAK, .TXT, and .LEX files - their data is XORed with the word "XPEH".
The "XPEH.4768" virus emulates the DIR command. For this purpose, it contains the following strings:
Directory of
File(s)
bytes free


If the current day coincides with the current month (January,1, February,2, etc.), this virus wipes out all data on the C: disk, displaying in advance the following message in Russian: "If you have a hard drive indicator and it is on, hard disk formatting is going to the end. Best wishes!".
"XPEH.5840" writes the byte C3h (RET) to the beginning of the *SAFE.* files. This virus also contain a text in Russia: "Because a work getting the producing new XPEHs is paused for some time. 1991- MFTI(77)". MFTI is Moscow Physical and Technical Institute.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Giggle

Description Macro.Word.Giggle

This is an encrypted macro-virus containing three macros: AutoOpen, FileSaveAs, OhYes. It replicates itself when documents are opened or saved with a new name. It identifies itself in documents according to the document variable "Giggle=OhMyGod".
On each day except Tuesday, the virus, depending on the random system counter, erases the files on the C: drive or replaces the strings:
By - It's Not Monday any more
^d - Error!
B - x
^# - #
^w - x

After deleting files, the virus displays one of the MessageBox'es:
Space Virus More space for the user
Sorry Self-destruct is in action
Windy
An error has occured you must re-start windows
This is the OBAY Virus

Macro.Word.Goggles

Description Macro.Word.Goggles

This is an encrypted macro virus. It contains only one macro AutoOpen, but on opening an infected file creates two new macros in global macros area (NORMAL.DOT) - Goggles and FileSave. Goggles macro is a copy of AutoOpen, FileSave macro contain just one instruction that calls infection routine in Goggles macros. The virus contains the text:
WordMacro.Goggles By Pyro [VBB]

Home