Virus Database

Bward.1024

Description Bward.1024

It is a very dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of EXE files that are executed. Depending on the installed BIOS the virus displays the message:
Üdv!

On each 4000th keyboard entry the virus erases random selected disk sectors. The virus contains the text string:
Bward07/25/87

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Nuclear.a

Description Macro.Word.Nuclear.a

It is a encrypted virus, it contains the macros:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area, and overwrite the macros if they are already present there. Then the virus infects the documents by FileSaveAs macro.
The virus manifests itself in three ways: 1) runs COM/EXE/NewEXE virus, 2) appends the text strings while printing the documents, 3) corrupts the system files. Note: the virus has a lot of bugs, and I am not sure that the virus is able to run 1) and 3) under standard environment.
1) The AutoExec macro calls DropSuriv macro which check the system time and drops the COM/EXE/NewEXE virus ("Ph33r") if the time is between 17:00 / 18:00. While dropping the virus uses the DEBUG utility.
First, the virus checks the C:DOSDEBUG.EXE. If this file is found, the virus creates temporary file PH33R.SCR in C:DOS directory, and writes hex dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus creates the temporary file EXEC_PH.BAT with the strings inside:
@echo off
debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates a copy of a COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 21h and writes itself to the end of COM/EXE/NewEXE files on opening, execution, renaming and changing their attributes.
The execution of BAT file is done in the background, so the user does not know that there are two(!) viruses on his PC.
Then the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.
Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE virus, but it is quite easy to fix that bug in next virus version.
2) While printing documents the virus appends the text approximately to each 12th file (if the seconds are 55 or more):
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so the uses does not see them (often documents occupy more that one screen). This is very curios effect, especially while sending documents via fax.
3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.
Macro.Word.Nuclear.b
It's a variant of previous one. Does not contain COM/EXE/NewEXE virus and macros DropSuriv, FileExit.
There's a bug while appending the text to the end of the document while printing. As the result the virus appends a blank page, and Word displays a message about a WordBasic error.
Macro.Word.Nuclear.c
Another variant of "Nuclear". It contains five macros: Payload, AutoExec, AutoOpen, FileSaveAs, InsertPayload.
The Payload contains the commented instructions that erase all files on C: drive. It seems that the virus author left them commented because he was afraid about this damage on his own computer - this macro takes control as soon as Word starts (the AutoExec macro).

Macro.Word.Nuker

Description Macro.Word.Nuker

This is an encrypted Word macro virus. It contains 8 macros:
Documents NORMAL.DOT
AutoOpen AutoOpenNuke
AutoExecNuke AutoExec
FileOpenNuke FileOpen
FileSaveAsNuke FileSaveAs
FileTemplatesNuke FileTemplates
NukePower NuclearPower
ShellOpenNuke ShellOpen
ToolsMacroNuke ToolsMacro

The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are also opened (FileOpen). On infecting the virus checks files for other macros and deletes them, if they are found. The virus checks the filenames for special symbols (spaces, semicolons,all). If there is such one, the virus truncates the file name and displays the MessageBox:
NuclearPower
You cannot open multiple files at the same time with NuclearPower
installed. The first file you selected will be opened.

On saving document with new name the virus displays the InputBox:
Save As
Please, enter the name of the file:

The AutoExec macros (on Word startup) assigns the NuclearPower with "Ctrl+Shift+O" keys. This macro being executed displays the MessageBox:
NuclearPower greets you
You are infected by NuclearPower.
But, I swear that I am harmless and
I will protect you from any other macro virus!

The virus also modifies the System Registry, as a result the virus macros are executed on DDE calls.

Home