WordMacro/Xenixos

has been posted to alt.comp.virus in February 1996.

 This macro virus came probably from Austria. It works correctly with German version of Word only. Under English Word it does infect NORMAL.DOT (makes use of AutoExec and AutoOpen). It contains the following execute only macros (some of them are German menu macros): 

AutoExec
AutoOpen
DateiBeenden - FileQuit
DateiDrucken - FilePrint
DateiDruckenStandard - FilePrintDefault
DateiOffnen (with the umlaut) - FileOpen
DateiSpeichern - FileSave
DateiSpeichernUnter - FileSaveAs
Drop

Dummy
ExtrasMakro - ToolsMacro
The virus tests a variable named 'RR2CD' in [compatibility] section of WIN.INI file. If this variable has the value '0x0020401' virus does not spread or execute the payload. The virus disables Word's prompt to save changes to NORMAL.DOT on DateiBeenden (FileQuit).

 The virus contains several payloads:

1) on DateiDrucken (FilePrint) and DateiDruckenStandard (FilePrintDefault) the virus tests the current seconds value and if it is lower than 30, it prints the text "Nemesis Corp." and inserts the text "Brought to you by the Nemesis Corporation, (c) 1996" on the end of the document.

2) on DateiSpeichern (FileSave) and DateiSpeichernUnter (FileSaveAs) the virus tests the current seconds value and if it is greater than 45, it encrypts the document with the password xenixos.

3) on DateiSpeichern (FileSave) and DateiSpeichernUnter (FileSaveAs) the virus tests the current system date and if it is set to later than May the 1st, it appends one line to the C:\AUTOEXEC.BAT, which causes the formatting of the logical disk C: under German version of DOS.

4) on DateiSpeichernUnter (FileSaveAs) the virus tests the current system date and if it is set to later than March the 1st, it tries to drop the binary virus Neurobasher­HAVOC-4651 with a bug, so that this Neuroquila is no longer multipartite and infects Boot and MBR only. The dropping is done in better way than in Nuclear but still does not work due to the misunderstanding how DEBUG program works by virus author. It also appends one line to the C:\AUTOEXEC.BAT to execute the binary virus.

 The ExtrasMakro (ToolsMacro) is installed as an attempt to stealth itself to a certain degree. It displays the error message instead of original ToolsMacro dialog.

The virus has been posted to the newsgroup. There is a chance it could be found in the wild in the future, mostly in german speaking countries.

 
Macro viruses
Word Word 97 Excel AmiPro
Viry
Hlášení o viru Viry in the Wild Souhrn z hlášení Windows viry Starší windows viry 2002 Starší windows viry 2001 Starší windows viry 2000 Script viry Macro viry Testovací soubor EICAR Historie VPS
Zasílání informací
informace o standardní VPS
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Domovská stránka
Viry  macro viry  Word  WordMacro/Xenixos