Virus Name: Wilbur Virus Type: File Infector Virus (infects .COM files) Virus Length: 512 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects one .COM file in the current directory. 2) It then executes the originally called file. Damage: None Detecting Method: Infected files will increase by 512 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Wilbur doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Winword.Nuclear Virus Type: File Virus Virus Length: N/A Description: This virus infects MSWORD documents. When an infected document is opened, the virus goes resident by adding some macros to your WORD environment. The virus also runs a macro called PayLoad which wipes out your DOS system files on the 5th of April. Once the virus is active, all documents saved using the "Save As..." command will be infected. Occasionally printed documents will have the following two lines of text added: "And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC" The virus may also try to inject a DOS file virus "Ph33r" into your system.
Virus Name: Wild-Thing Virus Type: File Infector Virus (infects .COM files) Virus Length: 567 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) If the system day is Friday, this message appears on the screen:" It's Friday ........ Enjoy the weekend with your computer![YAM '92]. Then the system halts. 2) Otherwise, it infects all uninfected .COM files in the current directory and root directory. Then it executes the original file. Detecting Method: 1)Infected files will increase by 567 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Wild-Thing doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Why Virus Type: File Infector Virus (infects .COM files) Virus Length: 457 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects one uninfected .COM file in the current directory. 2) It then checks the system date. If the date is the 12th of May or the 25th of February, the virus will damage all files on the hard disk. Detecting Method: 1)Infected files will increase by 457 Bytes.
Note: 1) Doesn't stay resident in memory. 2) "Why" doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: WHARPS Virus Type: File Infector Virus (infects .COM files) Virus Length: 572 Bytes(COM)
PC Vectors Hooked: INT 24h Executing Procedure: 1) If it is 3 am, this message appears on the screen:"wHaRpS! It is 3:00 a.m.> ETERNAL". 2) It then searches for and infects all uninfected .COM files in the current directory. 3) It then executes the original file. Damage: Infected file can't be executed. Detecting Method: Infected files will increase by 572 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Wharps hooks INT 24h when infecting files. Omits an I/O error (such as write protect).
Virus Name: WITCODE Other names: None Virus Type: File Infector Virus Virus Length: 965/975 bytes. PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed.
Damage: None Detecting Method: Increases infected file size by 965/975 bytes Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: WALKER Other names: None Virus Type: File Infector Virus Virus Length: .EXE 3845 bytes and .COM 3852 bytes. Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: None Detecting Method: 1) Interrupt 16 will be hooked. 2) A man walking across the screen for the duration of 14 seconds will occasionally be displayed. 3) Increases infected file size by 3845/3852 bytes Note: 1) Loads itself resident in memory .An error message occurs if there is an I/O error (such as write protect).
Virus Name: Wave Virus Type: Memory Resident(OS), COM File infector Virus Length: 454 bytes Executing Procedure: 1) Checks whether it is residing in memory. If not, it copies itself to absolute address 0000:01ECh (the area of interrupt vectors), hooks INT 21h and INT 1Ch, and changes the pointer of INT 78h to the address that pointed by original INT 21h. 2) Then goes back to the original routine. Vectors hooked: 1)Hooks INT 21h to check whether it remains in memory. 2)Hooks INT 21h (AH=4Bh,AH=3Dh) to infect files. If the program to be executed is an uninfected COM, and if the combined length of program and virus is between 1500 bytes and 64000 bytes and it is on C drive (Except A & B drive), then virus will proceed to infect. Otherwise, it will set a flag to be used by INT 1Ch at a later time. 3) Hooks INT 1Ch to shake the screen from side to side for 33 seconds after a flag is set by INT 21h. Damage: None Note: 1) Time and date (Except year) of infected files do not change. 2) You cannot see the change when you use "Dir" command because the last two bytes of date have not changed (You will see some problems on arrangement order if you attach "/od" to "Dir" command). Detecting Method: Infected file sizes will increase by 454 bytes.
Virus Name: Willow Virus Type: Memory Resident, EXE File infector Virus Length: 1870 bytes Executing Procedure: 1) Checks whether it is in memory. If not, it hooks INT 14h first, then changes the pointer of INT FDh to the address that is pointed by INT 21h. 2) Then it hooks INT 21h. 3) After all memory is released, it gets the name of Shell executed by the system from the environment parameter. Executes this Shell again. Terminates upon re-residing in memory. Vectors hooked: 1) Hooks INT 21h to check whether it has stay resident in memory. 2) Hooks INT 21h(AH=4Bh) to infect files. If the program to be executed is a COM file, deletes it. If it is a EXE file, the virus proceeds to infect it. Damage: It will delete COM files executed while the virus is residing in memory. Note: Date and time of infected files do not change. Detecting Method: Infected file sizes increase by 1870-1885 bytes.
Virus Name: Warrier1 Virus Type: Memory Resident(HiMem), COM File infector Virus Length: 300 bytes Executing Procedure: 1) The virus will decode first. 2) Then it checks whether it has stayed resident in memory. If not, it stays resident in high memory. 3) Then it hooks INT21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21h(AX=4B00h) to infect files. 2) If the program to be executed is an uninfected COM file (except COMMAND.COM), it infects it. Damage: None Note: 1)This virus stays resident in high memory (It will take 61 pares). 2)Date and time of infected files do not change. 3)The change of Infected files's length is: i)If original files's length is not larger than 768 bytes, infected files will be 1536 bytes. ii)If original files's length is larger than 768 bytes, infected files will increase by 768 bytes. Cleaning Method: Omit first 768 bytes from infected files.
Virus Name: Wolf-Man Virus Type: Memory Resident, COM & EXE File infector Virus Length: 2064 bytes Executing Procedure: 1) Checks whether it is resident in memory. If not, it will stay resident in memory. 2) If the system day is 15, the virus will manifest itself. Otherwise, it hooks INT 09H, INT 10H, INT 16H, INT 21H and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H to infect files. It will check whether the program to be executed is an infectable file (except COMMAND.COM), and then proceeds to infect it (The infectable file length must be larger than 1400 bytes). 2) Hooks INT 9h, INT 10h to check whether something in the program has changed. If it has, the virus will manifest itself. Symptoms: 1) Displays a message. 2) Overwrites current diskette with virus code until there is no more free space. 3) Delays 30 seconds and proceeds to reboot system. Damage: Destroys all data on current diskette. Note: 1) The procedure for displaying the virus message is designed for the Hercules display card. Therefore, the system halts if is run on a color display card. This, in turn, can prevent destruction of the hard disk. 2) The virus procedure contains "WOLFMAN" text. Detecting Method: 1) Infected file sizes increase by 143 bytes. 2) Checks whether an executed program remains resident in memory (it will occupy approx. 65.6K bytes) by using MEM.EXE program.
Virus Name: Wizard-3.0 Virus Type: COM File infector Virus Length: 268 bytes Executing Procedure: 1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 268 bytes.
Virus Name: Wake Virus Type: EXE File infector Executing Procedure: Searches for all uninfected EXE files on current directory, then infects them (Infects only one file at a time). Damage: It will overwrite original files with virus code. Original files are destroyed. Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged.
Virus Name: Wishes Virus Type: COM & EXE File infector Virus Length: 970 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then it hooks INT 21h and goes back to original routine. 2) It will check whether current calendar day is 13, Friday. If it is, the virus proceeds to destroy all data on the hard disk. Vectors hooked: 1) Hooks INT 21H (AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: Virus will sometimes destroy all data on hard diskette. Detecting Method: Infected file sizes increase by 970 bytes.
Other Name: WULF
Virus Type: File Type Virus
Virus Length: Size of approximately 1500 bytes.
Virus Memory Type: High Memory
INT Vectors Hooked: Int 13, 21
Place of Origin:
Infection Procedure:
Loads itself to high memory after decryption. Allocates 2976 bytes (9F46:0000) in memory. Moves 1500 (05CCH + 0010H) bytes to high memory. Infects *.EXE files. Copies virus code to host program, adding approximately 1500 bytes. Loads the virus first before running the host program. While in memory, EXE files opened will be infected.
The virus reacts ordinarily by allocating space in memory before infecting files. Nothing extraordinary happens. It just attaches its code to the host program after it is loaded from memory.
Damage:
Free memory decreases. Increase in file size.
Symptom:
May display:
"TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXXPSQRW" "[WULF] (c) 1995-96 Werewolf" "CLEAN.AVP.TB.V.SCAN.NAV.IBM.FINDV.GUARD.FV.CHKDSK"
which appears in the virus code.
Detection method:
Decrypt virus code, then look for the above strings.
Virus name: Word.Generic (any unknown Macro virus)
Virus type: Word macro virus
Number of macros: Virus Dependent
Encrypted: Virus Dependent
Macro names: Virus Dependent
Size of macros: Virus Dependent
Place of origin: Anywhere
Date of origin: Virus Dependent
Destructive: Virus Dependent
Common In-The-Wild: Virus Dependent
Description:
"Word.Generic Macro Virus" is the generic name used by Trend Micro's antivirus researchers to describe Macro viruses of unknown origin and routine detected by the MacroTrap.
Unlike the strict virus pattern matching methodology used to detect known viruses, the Trend Micro MacroTrap identifies Macro viruses that have not been previously identified by antivirus researchers. Such viruses can exist in either the "Wild" (viruses infecting real users) or in the "Zoo," (viruses known only to antivirus researchers).
Before an antivirus product can detect and clean unknown macro viruses, the virus must first be found and isolated. The virus is then analyzed to learn it's damage routine and a "signature" is developed so the virus can be quickly identified and removed from infected files. The signature is incorporated into the virus pattern file which is made available to the public, typically at biweekly intervals.
But because Macro viruses are so easy to create and spread, it is not practical to rely solely on virus pattern matching and up-to-date signatures to identify the stream of new macro viruses. Considering that "virus kits" are now available via the Internet, and considering the pervasive reach of e-mail, the only reliable long-term solution against the flow of Macro viruses clearly is Trend's rules-based MacroTrap.
Unknown macro viruses range in complexity and threat from innocuous (for example the original Word.Concept virus) to the viscously destructive (for example, Word.MDMA, deletes every file on your hard drive). When MacroTrap detects and cleans files infected with Word-based Macro viruses, both the virus and the infected macro are removed. They can be deleted or quarantined, depending on the user's preference.
Trend Micro is the first to develop this technology and we have incorporated it into our entire line of antivirus products to augment our award winning 32-bit, multi-threading scan engine.
Virus Name: Baby.A Virus Type: Word Macro Virus Alias: Punten Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 4322 Bytes Place_of_origin: Unknown Date_of_origin: Spring 1997 Payload: Yes Trigger_date: March 24th, October 15th, 1st, 30th, September 21st Password: None Seen_In_The_Wild: No Seen_where: UK DESCRIPTION: Baby.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened and saved (FileSave and FileSaveAs). Baby.A uses ToolsMacro and ToolsCustomize to make recognition of an infected document more difficult (called macro stealth technique). When a user selects ToolMacro/ToolsCustomize, the following message is displayed: " 57773LKOM ! " The following messages are displayed when a user exits Microsoft Word: On the 24th of March: " Stop Work Let's Party, this is my Day ! " On the 1st after 3 p.m: " 57773LK0M ! " On the 15th of October: "GiE, You're gettin' Old, Bro !" On the 21st of September: " Cathy, this is your day. Have Fun ! " When a document is printed on the 30th of each month, Baby.A inserts the following text into the active document: " Punten ... " " I Just Wanna Give a Shut Up to @Rapi.Kom: " " Just Don't Make Any Destructive Virus Ok ! " " Insert "We're East-Man Remember ! " " Insert "Peace 2 all My Home-Bro' Out There ! " " Insert "I'm Outta here !! Mangga sadayana... "
Virus Name: CVCK1.G Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 5 Encrypted: Yes Size_of_macros: 2029 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.G seems to be another creation of the author of CVCK1.F. It contains another reference to the movie "Flatliners." CVCK1.G infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). When CVCK1.G triggers (on the 13th of each month), it displays the following message: " Put me in the sate of death " The following comment can be found within the code of CVCK1.G: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! "
Virus Name: CVCK1.H Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 5 Encrypted: Yes Size_of_macros: 2031 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.H seems to be another creation of the author of CVCK1.F and CVCK1.G! It contains another reference to the movie "Flatliners." CVCK1.H infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). When CVCK1.H triggers (on the 13th of each month), it displays the following message: " Today is a good day to die!!! " The following comment can be found within the code of CVCK1.H: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! "
Virus Name: CVCK1.I Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 11 Encrypted: Yes Size_of_macros: 7329 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 11th and 31st of each month Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: The main difference between this new variant and the previous CVCK1.A virus is that the code has been slightly modified. For more information, please refer to the CVCK1.A virus description.
Virus Name: Czech.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 2 Encrypted: Yes Size_of_macros: 424 Bytes Place_of_origin: Unknown Date_of_origin: Spring 1997 Payload: None Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Czech.A infects the global template when an infected document is opened. Further documents become infected when they are also opened and saved (FileSave). Czech.A is another do-nothing macro virus, being only infectious.
Virus Name: Balu.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 2 or 1 Encrypted: Yes Size_of_macros: 776 or 646 Bytes Place_of_origin: Germany Date_of_origin: Spring 1997 Payload: Yes Trigger_date: April 5th, April 16th Password: SSichliebeDich, SSICHLIEBEDICH Seen_In_The_Wild: No Seen_where: DESCRIPTION: Balu does not infect any other documents. It is classified as a trojan horse. Balu only works with the German version of Microsoft Word, since it uses language specific macros. On the 5th of April, Balu renames the following files: " c:\command.com" to "c:\kniffel\com.com " " c:\msdos.sys" to "c:\kniffel\ms.sys " " c:\io.sys" to "c:\kniffel\ii.sys " Balu's second payload adds the following password to saved documents: " SSichliebeDich " " SSICHLIEBEDICH " On the 16th of April, Balu displays the following message: " Dicke aus Schwelm, ich werde Dich immer lieben, weil die Tür " zu meinem Herzen immer für Dich offen steht, egal was passiert. " " Ich hoffe Du verzeihst mir. " " Dein balu aus Schwelm "
Virus Name: Barbaro.A:It Virus Type: Word Macro Virus Alias: Nostradamus Platform: Word 6/7 Number_of_macros: 3 Encrypted: No Size_of_macros: 2813 Bytes Place_of_origin: Italy Date_of_origin: December 1996 Payload: Yes Trigger_date: 31st Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Barbaro infects the global template when an infected document is opened. Further documents become infected when they are saved (FileSalva). Barbaro uses StrumMacro to make recognition of an infected document more difficult (called macro stealth technique). On the 31st of each month, Barbaro displays the following message: "Barbaro impero dal terzo sarai soggiogato " "Gran parte d'individui della sua origine farà perire " "Per decesso senile avverrà la sua fine, il quarto colpirà " "Per timore che il sangue con il sangue morte ne derivi. " " NOSTRADAMUS Virus " Barbaro only works with the Italian version of Microsoft Word, since it uses language specific macros.
Virus Name: ABC.A Virus type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 3 Encrypted: Yes Size_of_macros: 1836 (1801) Bytes Place_of_origin: USA Date_of_origin: Fall 1996 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: ABC.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). ABC.A is one of very few non-destructive macro viruses. It only infects other files and displays the following message: " I am happy; are you too? " When the "Colin" macro triggers, it adds the following text to the File|Properties section of infected documents: " Smash Technology " " Resist Oppression "
Virus Name: Ceefour.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 6 Encrypted: Yes Size_of_macros: 4062 Bytes Place_of_origin: USA Date_of_origin: Spring 1997 Destructive: Yes Trigger_date: April 1st Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CeeFour.A infects the global template when an infected document is opened. Further documents become infected when they are saved. CeeFour.A uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects on of the two options, CeeFour.A displays the following message: " A serious error has occoured in sub program: MenuBar " When a document is saved on April 1st, CeeFour.A triggers and does the following: 1. LABEL the partition of the first hard drive to " C4_BY_KARL " 2. Delete all files on C:\ 3. Delete C:\COMMAND.COM 4. Delete C:\WINDOWS\WIN.COM The following comments can be found in the CEEFOUR macro: " C-4 By Karl " " You are about to have a very bad day. " " It looks like C4 in the mothers arm. " " We are both professional, This is personal. " " And when Alexander saw the bredth of his domain he wept for there " " were no more worlds to conquer (benefits of a classical education) " " quotes from the masters! "
Virus Name: Ceefour.B Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 6 Encrypted: Yes Size_of_macros: 4019 Bytes Place_of_origin: UK Date_of_origin: February 1997 Destructive: Yes Trigger_date: April 1st Password: None Seen_In_The_Wild: Yes Seen_where: UK DESCRIPTION: The main difference between this new variant and the previous CeeFour.A virus is that the code has been slightly modified. For more information, please refer to the CeeFour.A virus description.
Virus Name: Chaka.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 or 3 Encrypted: No Size_of_macros: 741 (845 or 843) Bytes Place_of_origin: Germany Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Chaka.A infects the global template when an infected document is opened. Further documents become infected when they are also opened (FileOpen - DateiOeffnen in the German version of Microsoft Word) or closed (DocClose - DateiSchliessen in the German version of Microsoft Word). Chaka does not do anything besides infecting other files.
Virus Name: Chandigarh.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: Yes Size_of_macros: 244 Bytes Place_of_origin: India Date_of_origin: May 1996 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Chandigarh.A infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). Chandigarh.A does nothing else besides infecting other files. The following comment can be found inside the code of Chandigarh: " This Code was written in Chandigarh (India) on 01.05.1996 "
Virus Name: Cheat.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 249 Bytes Place_of_origin: Unknown Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Cheat.A is another intended macro virus. Due to bugs in the code it does not infect other files.
Virus Name: Cheat.B Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 279 Bytes Place_of_origin: Unknown Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Cheat.B is another intended macro virus. Due to bugs in the code it does not infect other files.
Virus Name: Vicis.A Virus Type: Word Macro Virus Alias: Vicissitator Platform: Word 6/7 Number_of_macros: 1 or 2 (global template) Encrypted: No Size_of_macros: differs Place_of_origin: Unknown Date_of_origin: July 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Vicis.A infects the global template when an infected document is saved. Further documents become infected when they are also saved (FileSave). Vicis.A is another polymorphic virus that changes itself. Whenever a user saves a document while the global template (normal.dot) is infected, Vicis.A calls its mutating code. Due to a bug some variants will fail to infect further files. Executing the corrupted FileSave macro causes Microsoft Word to display an error message. While simple scan string scanners should have no problem detecting Vicis.A, exact CRC scanners will fail to do so. Vicis.A uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). The following comment can be found within the ToolsMacro macro: " You have been Infected by the Vicissitator Macro Virus. " " (C)1997 CyberYoda A Member of the SLAM Virus Team " Vicis.A was distributed in July, 1997 in a virus writing magazine.
Virus Name: Black.A Virus Type: Word Macro Virus Alias: BlackDeath Platform: Word 6/7 Number_of_macros: 3 Encrypted: Yes Size_of_macros: 1355 Bytes Place_of_origin: USA Date_of_origin: June 1997 Destructive: Yes Trigger_date: Friday 13th Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Black infects the global template when an infected document is opened. Further documents become infected when they are also opened (AutoOpen). The following comment can be found in the AutoExec macro: " REM Fuck Micro$oft! " On Friday the 13th Black displays the following message: " Your computer is now lost to the ages... " " WM.BlackDeath " " Written on 6/6/1997 " On the same day, Black deletes the following files: " C:\*.COM " " C:\*.EXE " " C:\WINDOWS\*.INI " " C:\WINDOWS\*.COM " " C:\WINDOWS\*.HLP " " C:\WINDOWS\*.CPL " C:\WINDOWS\*.BMP " " C:\AOL\ORGANIZER\*.* " " C:\AOL\LDB\*.* "
Virus Name: AntiConcept.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 4 or 3 Encrypted: No Size_of_macros: 1263 (1216) Bytes Place_of_origin: USA Date_of_origin: Summer 1997 Payload: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: AntiConcept.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSave and FileSaveAs). AntiConcept.A disables the Concept virus by removing some of its macros. When an infected document is opened for the first time, AntiConcept displays the following message: " Your system may or may not be clean. " " Please close CleanW and then open it again " AntiConcept.A1 is an unnatural devolved variant with FileNew missing in its macro set. Due to the missing macro, Microsoft Word displays an error message.
Virus Name: Archer.A Virus Type: Word Macro Virus Alias: ArchFiend Platform: Word 6/7 Number_of_macros: 6 Encrypted: No Size_of_macros: 2360 Bytes Place_of_origin: USA Date_of_origin: July 1997 Payload: Yes Trigger_date: 5th Password: Random Seen_In_The_Wild: No Seen_where: DESCRIPTION: Archer.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are also opened and saved (FileSaveAs). Archer.A removes FileTemplates and ToolsCustomize to make recognition of an infected document more difficult (called macro stealth technique). When a user selects ToolsMacro, Archer.A adds the following comment to C:\AUTOEXEC.BAT: " echo BLOW ME! " Archer.A also checks the system time and in case of a 13 in the seconds field, it adds a password to the saved document. If you find a document with an unknown password, please download a copy of WinWord Password Recovery Tool (wwprt). It is available at: www.vdsarg.com. The second payload, which is triggered on the 5th of each month, tries to delete files on Macintosh systems or delete all bitmap (*.BMP) files in the following directory: " C:\WINDOWS "
Virus Name: Cult.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 1 Encrypted: No Size_of_macros: 1688 Bytes Place_of_origin: Germany Date_of_origin: Summer 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Cult.A is another intended macro virus. Due to bugs in the code it does not infect other files. The following comment can be found inside the code: " CULT! Nightmare Joker (SLAM) "
Virus Name: CVCK1.A Virus Type: Word Macro Virus Alias: Chicken-Pox 0.1 Platform: Word 6/7 Number_of_macros: 11 Encrypted: Yes Size_of_macros: 7315 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Destructive: No Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.A infects the global template when an infected document is closed. Further documents become infected when they are also closed (AutoClose). CVCK1.A uses ToolsMacro, ToolsCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, CVCK1.A displays the following: " Chicken say ......... " an empty picture and " [pox-poX-pOX-POX-POx-Pox-pox] "", .Push2 The following comments can be found within the code: " -------------------------------------------- " " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " -------------------------------------------- " and " Sorry ... i'm defeat you ! "
Virus Name: CVCK1.B Virus Type: Word Macro Virus Alias: Foxz Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 5551 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: None Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.B infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). CVCK1.B uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, CVCK1.B displays the following: " Err = 0 " Another message is displayed on the 1st and 13th of each month. CVCK1.B also tries to disable printing on Sundays. The following comments can be found within the code: " Foxz members of NoMercy " " thank's for decrypt this virus " " you may learn the effect Or somthing Else " " bye,"."".""." " " Foxz " " If you found bug please contact me at " " idban"@" hotmail.com " and " Foxz Techno " " Member Of NoMercy "
Virus Name: CVCK1.C Virus Type: Word Macro Virus Alias: Vampire, 80e Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 3158 (5759) Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Destructive: Yes Trigger_date: Fridays Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.C infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). CVCK1.C uses ToolsMacro, ToolCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, CVCK1.C deletes all WIN.* files in the Windows directory and displays the following message: " No risk, No Pain " Another payload triggers on Fridays when CVCK1.C erases all text from documents. The following comments can be found within the code of CVCK1.C: " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " Name : WM.80e aliase Vampire "
Virus Name: CVCK1.D Virus Type: Word Macro Virus Alias: Vampire, 80e Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 3912 (5547) Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.D infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). CVCK1.D uses ToolsMacro, ToolCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When a user selects one of the options, CVCK1.D displays the following message: (also displayed on the 13th of each month) " Visit NoMercy WEB PAGE ! " " Welcome Again buddy! " " It's nice create a Virus, why you don't try? " The following comments can be found within the code of CVCK1.D: " -------------------------------------------- " " Created using CVCK v.01 b " " (C)CrazybitS 1997, Yogyakarta, Indonesia " " -------------------------------------------- " " greeting to " " -Cicatrix major collector " " -D.Giovanni " " -All Macro virii creator " " -You that has seen the decription macro " and " Sorry ... i'm defeat you ! "
Virus Name: CVCK1.E Virus type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 10 Encrypted: Yes Size_of_macros: 5527 Bytes Place_of_origin: Indonesia Date_of_origin: 1997 Payload: Yes Trigger_date: Sundays Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: The main difference between this new variant and the previous CVCK1.B viruses is that the Action, Actiondate, and AutoOpen macros were modified. CVCK1.E infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). CVCK1.E uses ToolsMacro and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). CVCK1.E also tries to disable printing on Sundays. The following comment can be found within the code of CVCK1.E: " -------------------------------------------- " " Hey you..... " " This again from NoMercy... " " created by Fox`z " " -------------------------------------------- "
Virus Name: CVCK1.F Virus type: Word Macro Virus Alias: Billy Mahone Platform: Word 6/7 Number_of_macros: 6 or 9 (global template) Encrypted: Yes Size_of_macros: 2209 or 2338 Bytes Place_of_origin: Unknown Date_of_origin: 1997 Payload: Yes Trigger_date: 13th of each month Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: CVCK1.F seems to be the first macro virus, created with the CVCK1 virus generator, that was not modified after its creation. CVCK1.F infects the global template when an infected document is opened. Further documents become infected when they are closed (AutoClose). CVCK1.F uses ToolsMacro, ToolsCustomize and FileTemplates to make recognition of an infected document more difficult (called macro stealth technique). When CVCK1.F triggers (on the 13th of each month), it displays the following message: " Billy Mahone is back!!! " (More obscure than the virus itself is the name of the virus author, which is a character in the movie " Flatliners "). The following comment can be found within the code of CVCK1.G: " Sorry ... i'm defeat you ! " and " Just bypass Nothing to do! "
Virus Name: Armadillo.A Virus Type: Word Macro Virus Alias: None Platform: Word 6/7 Number_of_macros: 4 Encrypted: Yes Size_of_macros: 1265 Bytes Place_of_origin: USA Date_of_origin: Spring 1997 Payload: Yes Trigger_date: Mondays Password: None Seen_In_The_Wild: No Seen_where: DESCRIPTION: Armadillo.A infects the global template (normal.dot) when an infected document is opened. Further documents become infected when they are saved (FileSaveAs). Armadillo uses ToolsMacro to make recognition of an infected document more difficult (called macro stealth technique). If a user selects ToolsMacro, Armadillo adds the following text 10,000 times to the active document: " Armadillon Macro? " When a user starts Microsoft Word on a Tuesday and the global template is infected, Armadillo displays the following message: " Liven up Monday with an Armadillon! "