DarkElf family
Description DarkElf family
These are harmless memory resident encrypted parasitic viruses, "DarkElf.3691" is a polymorphic virus. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses do not infect the files: AIDS*.EXE, DRWEB*.EXE, WEB*.EXE, SCAN*.EXE, -*.*, AVP*.*, AVSP*.EXE, TB*.EXE, COMMAND.COM, IBM*.*, WIN*.COM The viruses use several levels of encryption as well as several anti-debugging tricks. They contain the text strings in Russian and: "DarkElf.2200": [Dark Elf] version 2.1 CopyLeft (cl) MSTUdent 18/08/96 03:50:30 AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP???????? AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM
"DarkElf.3691": [Dark Elf] version 3.0 CopyLeft (cl) MSTUdent 13/11/96 18:04:13 AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP???????? AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM [DEME] Dark Elf Mutation Engine v1.0 CopyLeft (cl) MSTUdent 13/11/96 18:04:13
Check other viruses! Be aware! Use Antiviral Software
Macro.Word.ShareFun
Description Macro.Word.ShareFun
This encrypted Word macro virus contains nine macros: AutoExec - does nothing autoOpen - infects current document or global macros area FileClose - -//- FileExit - -//- FileSave - -//- FileOpen - -//- FileTemplates - -//- ToolsMacro - -//-, disables Tools/Macro menu (stealth) ShareTheFun - trigger routine
It infects the system and documents on opening, closing and accessing Tools/Macro menu. It manifests itself in very unusual way - it sends infected documents via MicrosoftMail, if it is installed. On opening a document or template (AutoOpen) the virus with probability 1/4 calls the ShareTheFun macro. This macro saves the current (already infected) document to the C:DOC1.DOC file, activates Microsoft Mail by WordBasic instruction AppActivate, gets three random selected addresses from addresses list and sends them the infected C:DOC1.DOC file with the subject line: You have GOT to read this!
If Microsoft Mail is not included in the running tasks, the virus shuts down Windows.
Macro.Word.Showoff
Description Macro.Word.Showoff
text (c) Michal A. Egler This virus contains the following encrypted macros: Hayo, AutoOpen, Nomercy2, Organizer, ToolsMacro, FileTemplates. On the 13th day of any month the virus creates the file C:WINDOWSSYSTEMNOMERCY.DLL. This file contains a debug script with the NoMercy.575 DOS parasitic virus dump code. By using this script the virus creates the virus dropper NOMERCY2.COM. Next the virus deletes files: C:*.BAT C:*.SYS C:WINDOWS*.GRP C:WINDOWS*.DRV C:WINDOWS*.DLL C:WINDOWSSYSTEM*.DRV C:WINDOWSSYSTEM*.DLL
It also inserts the following commands into the AUTOEXEC.BAT file to execute the virus dropper: @echo off nomercy2.com
After restarting the computer the virus code stays resident and infects each executed COM and EXE file. The virus displays a UserDialog containing the text: No Mercy II [Hell on WinWord], The Madness Continuesall.. wall NoMercy II ©1997 by CrazybitS From the land of Smoking Vulcanoes and Gamelan Orchestras This Macro Virus Was Released for follow his brother No Mercy
Sometimes the virus changes names of macros: Nomercy = AutoOpen AutoClose = Nomercy2 AutoExec = Hayo ToolsMacro = ToolsMacro Organizer = Organizer FileTemplates = FileTemplates
Sometimes the virus displays a UserDialog with the text: No Mercy II Was Distrub ! Mmmmm.... you just lost your files ! Don't do it again !
|
Home
Viruses from A to Z 0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|