Virus Database

DarkElf family

Description DarkElf family

These are harmless memory resident encrypted parasitic viruses, "DarkElf.3691" is a polymorphic virus. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses do not infect the files: AIDS*.EXE, DRWEB*.EXE, WEB*.EXE, SCAN*.EXE, -*.*, AVP*.*, AVSP*.EXE, TB*.EXE, COMMAND.COM, IBM*.*, WIN*.COM
The viruses use several levels of encryption as well as several anti-debugging tricks. They contain the text strings in Russian and:
"DarkElf.2200":
[Dark Elf] version 2.1 CopyLeft (cl) MSTUdent
18/08/96 03:50:30
AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP????????
AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM

"DarkElf.3691":
[Dark Elf] version 3.0 CopyLeft (cl) MSTUdent
13/11/96 18:04:13
AIDS????EXEDRWEB???EXEWEB?????EXESCAN????EXE-??????????AVP????????
AVSP????EXETB??????EXECOMMAND?COMIBM????????WIN?????COM
[DEME] Dark Elf Mutation Engine v1.0 CopyLeft (cl) MSTUdent
13/11/96 18:04:13

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.ShareFun

Description Macro.Word.ShareFun

This encrypted Word macro virus contains nine macros:
AutoExec - does nothing
autoOpen - infects current document or global macros area
FileClose - -//-
FileExit - -//-
FileSave - -//-
FileOpen - -//-
FileTemplates - -//-
ToolsMacro - -//-, disables Tools/Macro menu (stealth)
ShareTheFun - trigger routine

It infects the system and documents on opening, closing and accessing Tools/Macro menu. It manifests itself in very unusual way - it sends infected documents via MicrosoftMail, if it is installed.
On opening a document or template (AutoOpen) the virus with probability 1/4 calls the ShareTheFun macro. This macro saves the current (already infected) document to the C:DOC1.DOC file, activates Microsoft Mail by WordBasic instruction AppActivate, gets three random selected addresses from addresses list and sends them the infected C:DOC1.DOC file with the subject line:
You have GOT to read this!

If Microsoft Mail is not included in the running tasks, the virus shuts down Windows.

Macro.Word.Showoff

Description Macro.Word.Showoff

text (c) Michal A. Egler
This virus contains the following encrypted macros: Hayo, AutoOpen, Nomercy2, Organizer, ToolsMacro, FileTemplates.
On the 13th day of any month the virus creates the file C:WINDOWSSYSTEMNOMERCY.DLL. This file contains a debug script with the NoMercy.575 DOS parasitic virus dump code. By using this script the virus creates the virus dropper NOMERCY2.COM.
Next the virus deletes files:
C:*.BAT
C:*.SYS
C:WINDOWS*.GRP
C:WINDOWS*.DRV
C:WINDOWS*.DLL
C:WINDOWSSYSTEM*.DRV
C:WINDOWSSYSTEM*.DLL

It also inserts the following commands into the AUTOEXEC.BAT file to execute the virus dropper:
@echo off
nomercy2.com

After restarting the computer the virus code stays resident and infects each executed COM and EXE file.
The virus displays a UserDialog containing the text:
No Mercy II [Hell on WinWord], The Madness Continuesall..
wall
NoMercy II ©1997 by CrazybitS
From the land of Smoking Vulcanoes and Gamelan Orchestras
This Macro Virus Was Released for follow his brother No Mercy

Sometimes the virus changes names of macros:
Nomercy = AutoOpen
AutoClose = Nomercy2
AutoExec = Hayo
ToolsMacro = ToolsMacro
Organizer = Organizer
FileTemplates = FileTemplates

Sometimes the virus displays a UserDialog with the text:
No Mercy II Was Distrub !
Mmmmm.... you just lost your files !
Don't do it again !

Home