 WIN95/CIH
W97M/CLASS W97M/NICEDAY
W97M/MARKER W97M/ETHAN W97M/GROOVIE
WM/CAP
VIRUS
ONE-HALF
VIRUS XM/LAROUX
VIRUS
WM/NPAD
VIRUS WM/WAZZU NATAS
VIRUS
BEWARE
OF W97M/CLASS VIRUS
This Word macro
virus (also known as the "MS Word 97
Macro Class Virus") infects Word 97
documents. W97M/Class changes it's own
code constantly by inserting comments
that contain the current user name,
current date and time, and information
about the active printer.
The virus uses an
effective way to hide its code. By using
special WordBasic operators the virus
installs its module into Word classes.
The virus code is appended as a native
Word component. As a result the virus is
not visible in the Tools/Macro menu.
W97M/Class
activates on the 31st of every month. At
this time it displays this message:
"This is a
Class, VicodinES /CB /TNN"
There are several
variants in Class virus. W97M/Class.D
activates on the 14th of the month from
June to December. At this time it
displays a message:
"I think ( the name
of the current user ) is a big stupid
jerk!
VicodinES Loves You / Class.Poppy."
Back to the Top
BEWARE
OF W97M/NICEDAY VIRUS
This macro virus,
which appeared first in 1997, is
widespread. The virus contains the macros
like autoopen, vopen, vlclose, autoclose
and payload.
It displays the
message like "Have a niceday".
This macro virus infects Word 97
documents also. Once the infected
document is opened, it infects the other
infected documents.
Back to the Top
BEWARE
OF W97M/MARKER VIRUS
W97M/Marker (also
known as HSFX) is a Word macro virus that
collects user information from Word and
uses FTP to send it over the internet.
The virus is similar to W97M/Caligula.
Like Caligula, it sends the data over to
codebreakers.org. It also has some
similarities to WM/Ethan.
W97M/Marker is
polymorphic. The polymorphism consists of
adding a log at the end of the virus body
for every infected user. This log
contains information for system time,
date, users name and address.
The
virus contains an infection marker in the
beginning of its code:
"<- This
is a Marker"
W97M/Marker.A
saves its in a file called c:\netldv.vxd.
To infect documents the virus export its
code from global template to this file
and after that deletes the file, so the
user can't find it.
W97M/Marker
and its variants are very frequently
reported in the wild.
Back to the Top
BEWARE
OF W97M/ETHAN VIRUS
Ethan is a Word
macro virus that replicates under Word
97. It was found in the wild in Northern
Europe in January 1999. Ethan is a simple
macro virus, consisting of a single macro
less than 50 lines long. It infects
Word's NORMAL.DOT template and documents
by inserting its code to a module in the
document.
To spread, the
virus generates a file with the name
"c:\ethan.___". This file alone
is harmless and can be deleted after the
disinfection. The file is listed as a
hidden system file.
Ethan activates
by random. Whenever a document is opened,
there is a 3-in-10 chance that the virus
will change the document's properties. If
this happens, the virus changes the title
of the document to "Ethan
Frome", Author to
"EW/LN/CB" and company to
"Foo Bar Industries Inc.".
Ethan Frome"
is a book written by Edith Wharton in
1911. It was also released as a movie in
1993, with Liam Neeson playing Ethan
Frome. In addition, W97M/Ethan checks if
the machine is already infected with the
W97M/Class virus and if so, it delete the
class.sys file that W97M/Class uses to
replicate.
W97M/Ethan
and its variants are very frequently
reported in the wild.
Back to the Top
BEWARE
OF W97M/GROOVIE VIRUS
"This Word
macro virus creates an infected file
called DATA.DOC to the Word startup
directory. While infecting files, it
creates a temporary file called
C:\GROOVIE.SYS and imports the code of
the virus from it.
"W97M/Groovie
is able to spread under the Word 97 SR-1
update, but it is not the first virus to
be able to do this.
Groovie
activates by displaying a message box
with these texts:
ALT-F11 says
It's GROOVIE
"The virus
also attempts to set the hard drive
volume label to "groovie" and
create a configuration information file
with IPCONFIG and send the file to a ftp
site over the internet.
"After
disinfecting the W97M/Groovie virus, the
hard drive volume label has to be
restored manually back to original. Also,
the temporary C:\GROOVIE.SYS file is not
removed and has to be deleted manually.
Do notice that GROOVIE.SYS is not
infected and can not spread - it is just
a temporary file used by the virus.
Back to the Top
BEWARE
OF WM/CAP VIRUS
Cap is a Macro
virus infects Microsoft Word for Windows
documents. This macro virus, which
appeared first in February 1997, is
widespread. The virus consists of one
large macro, called CAP (which gives the
virus its name), which is called from the
virus' other macros - AutoExec, AutoOpen,
FileSave, FileSaveAs, FileTemplates,
ToolsMacro, FileClose, FileOpen and
AutoClose.
The CAP
macro contains the following comment:
C.A.P: Un virus social.. y
ahora digital.. '"j4cKy Qw3rTy"
(jqw3rty@hotmail.com). Venezuela,
Maracay, Dic 1996.
P.D. Que haces gochito ? Nunca seras
Simon Bolivar.. Bolsa !
When the virus
replicates, the first thing it does is to
copy the basic set of 10 macros. The
virus then browses the Word for Windows
menu items, collects their names (they
could be different in different language,
or customised versions of Word for
Windows) and intercepts up to five of
these additional macros, inserting a
pointer to the main CAP macro. Any system
macros defined in a global template
before the infection occurred are
deleted. The virus also removes the menu
items Tools | Macro and Tools |
Customize. The File | Templates menu item
is present after infection, but it does
not work.
The virus uses
information from the macro description
field (located at the bottom of the Tools
| Macro dialog), for self-recognition of
its core macros. These contain F% at the
beginning of a description (FileOpen
contains F%O, FileClose contains F%C,
FileSave contains F%S and FileSaveAs
contains F%SA).
Back to the Top
BEWARE
OF ONE-HALF VIRUS
One-half is a
multipartite virus infects COM and EXE
files on execution, opening, renaming,
and so on. The partition sector of the
hard disk is infected when an infected
program is executed.
The infected file
size will increase by 3544 bytes. The
virus reduces the size of DOS memory by
4Kb. When the virus is memory resident,
it uses stealth to conceal itself, also
concealing its own code. The virus is
also polymorphic. One-Half is a `fast
infector', infecting files not only on
load-and-execute but also on open,
rename, etc. For this reason it is
essential that scanners are able to
detect the virus if it is active in
memory.
The virus uses `tunneling' (traces INT_13
to get original interrupt entry point).
The virus hooks interrupts 01, 13, 1C, 21
(functions 11, 12, 3C, 3D, 3E, 4B00, 4C,
4E, 4F, 56, 5B, 6C00) and 24.
Self-recognition is INT_21 with AX=4B53
and the correct response is AX+454B. The
virus recognizes SCAN, CLEAN, FINDVIRU,
GUARD, VSAFE, NOD and MSAV by name and
does not infect them.
The virus
re-locates the original clean, partition
sector further along the first track,
eight sectors before the boot sector.
Additional virus code is stored in
several sectors following this sector,
including one sector which contains the
text:
Dis is one half
Press any key to continue.....
and
Did you leave the room ? (which is never
displayed).
The nastiest
feature of One Half is its payload. Each
time you re-boot the PC, the virus
encrypts two tracks of the drive. While
the virus is in memory, it decrypts these
tracks `on-the-fly', so that all the data
appears normal. However, if the method
used to remove the virus does not decrypt
these cylinders, the data will be
inaccessible. For this reason, FDISK/MBR
should not be used to remove this virus.
Back to the Top
BEWARE
OF LAROUX VIRUS
XM/Laroux is the
first macro virus for Microsoft Excel for
Windows which actually works. The virus
intercepts Excel's AutoOpen automacro.
When an infected spreadsheet is opened,
the virus activates and checks whether
the system is already infected. If not ,
the virus creates an Excel for Windows
file named PERSONAL.XLS in the Excel for
Windows default startup directory (e.g.
C:\MSOFFICE\EXCEL \XLSTART) and copies
itself there.
The spreadsheets
and macros from that directory are
automatically loaded whenever Excel for
Windows is run. From then on, every
spreadsheet being opened or created on an
infected system will become infected with
the virus.
This virus does
not have an intentional payload - it just
replicates. The virus works under Excel
for Windows versions 5 and 7, running
under Windows 3.x, Windows 95 and Windows
NT. It does not work on Apple Macintosh.
Infected
spreadsheets contain a hidden sheet named
`laroux'. Here is a fast check to tell
whether you have the virus: If Tools/Macro is
used to view the macros associated with a
spreadsheet, the macros `auto_open' and
`check_files' and/or
`personal.xls!auto_open' and
`personal.xls!check_files', indicates
that the system is infected.
BEWARE
OF NPAD VIRUS
Npad is a macro
virus infects word 6.0 documents. The
virus has just one macro, AutoOpen. Some
variants of the virus contain partially
corrupted macros; they infect NORMAL.DOT,
but replicate no further.
The following strings are
contained in the virus, one of which
indicates that it was written in Bandung,
Indonesia:
D0EUNPAD94,
v.2.21, (c) Maret 1996, Bandung,
Indonesia
Macro MsWord virus, multiplatform, multi
versi
The virus adds a
variable called 'NPad328' to the
'Compatibility' section of WIN.INI. This
is used as a counter; when this counter
reaches 23, the virus displays the string
D0EUNPAD94, v.2.21, (c)
Maret 1996, Bandung, Indonesia
on the Word for Windows screen, when
document is opened.
Back to the Top
BEWARE
OF WAZZU VIRUS
WM/Wazzu is a
macro virus. The virus contains only one
macro, AutoOpen. Since the name of the
AutoOpen macro is the same in all
language versions of Word for Windows,
this virus will replicate equally
effectively in all international versions
of Word for Windows.
This virus has an
interesting payload. When an infected
document is opened, the virus three times
calls the routine which, with a 20%
probability, moves one word from, and to,
a random place in a document. After this,
the virus also inserts the word wazzu at
a random point, with a 25% probability,
and then goes to the start of the
document.
The WM/Wazzu.dg
variant originated in France. It works
only under the Office 97 versions of Word
for Windows (including the English
version and any other language versions).
There are several comments
in the virus:
VB_Description =
"ScanProt macro to install
protection macros, disinfect your Normal
(Global) template and run the CleanAll
macro."
If the current
system date is set to 14 July 1997, the
virus triggers and randomly selects one
of 20 actions. Some are not dangerous
(for example, turning off the status line
at the bottom of the screen, disabling
horizontal or vertical scroll-bars,
changing the font defaults in a global
template). However, there is a 5%
probability that the virus will also
insert text in a document:
"Les
employes les plus incompetents sont
systematiquement promus aux postes ou ils
se revelent le moins dangereux:
l'encadrement."
Back to the Top
BEWARE
OF NATAS VIRUS
This ia
Multipartite virus infects COM and EXE
files on execution or closing (for
example, when copying a file, both source
and destination are infected). COM files
of greater than 60,692 bytes or less that
1,000 bytes, and EXE files of greater
than 938,040 bytes are not infected. The
virus also infects the partition sector
and the boot sector of floppy disks.
The partition
sector of the hard disk is infected when
an infected program is executed, or when
the PC is booted from an infected floppy
disk. Floppy disks are infected on read
access (for example, within the DIR or
COPY commands).
When an infected
program is run, or when the PC is booted
from an infected floppy disk, Natas goes
memory resident, infecting the partition
sector. The virus does not re-locate the
original partition sector. The virus
patches the partition executable code ,
changing 41 bytes, but leaving the
partition table unchanged. Additional
virus code is stored on nine sectors at
the end of the first track, but excluding
the last sector of the first track.
Natas infects the
boot sector of floppy disks which are
accessed in an infected PC. The virus
does not re-locate the original boot
sector. The virus patches the boot
sector, changing 41 bytes. Additional
virus code is stored on nine sectors at
the end of the disk and the BIOS
Parameter Block (BPB) is patched to
ensure that these sectors are not
overwritten by data.
Files infected by
Natas are variably encrypted and
polymorphic. Natas uses stealth to
conceal itself when memory resident. If
the partition sector is examined when the
virus is memory resident, the original
partition sector is displayed. The virus
does NOT conceal the additional virus
code at the end of the first track.
Unlike most full stealth viruses, Natas
can survive backups (BACKUP, PCBACKUP),
archiving (ARJ, LHARC, PKZIP), and
transfers of infected files via modem
(ZMODEM, XMODEM, and so on). Also, it
does not trigger CHKDSK file system error
reports. Natas also uses stealth to
conceal the increase in file size.
|
.