Virus.MSWord.Techno

tag:Macro Viruses

0 0

It is a stealth macro-virus. It contains twenty procedures in one module "VrTechnoCode": VrInstall, AutoOpen, AutoExec, FileOpen, FileNew, FileNewDefault, FileSaveAs, FileSave, FileClose, DocClose, ViewVBCode, ToolsMacro, FileTemplates, ToolsOptions, VrStealth, IsChance, FilePrint, FilePrintDefault, AddOemInfo, CreateImageScreen.

The virus infects the global macros area on opening an infected document and infects other documents on opening, creating and saving. On closing a document, the virus sets the document protection type to wdAllowOnlyFormFields that denies any changes in the document text except form fields. On opening infected documents, the virus unprotects them, and on closing, protects them again. As a result, after disinfection, documents will stay protected. This protection may be removed manually by choosing the menu Tools/Unprotect, password is "Elite".

The virus turns off the Word virus protection (the VirusProtection option). The virus' stealth routine intercepts and prevents the opening of Visual Basic Editor, Tools/Macro and File/Templates dialogue boxes. With a probability of one in five, this routine displays MS Office Assistent with the message:

VR 义蹴铍钽? v1.0
Word Macro 氯杏?!!
穆奕 搪?性  c 1999

The virus infecting routine, with probability of one in nine, creates, in the "C:\Windows\System" directory, the "oeminfo.ini" file with the text:

[General]
Manufacturer=穆奕 搪?性
Model=MS Word 妈痼?[Support Information]
Line1=暑祜蝈?玎疣驽?忤痼耦? VrTechno V1.1
Line2=
Line3=Word Macro Virus
Line4=John Great, 穆奕 搪?性 - (C) '1999

With probability five percents the infection procedure inserts into documents a graphic shapes with text:

Microsoft Word Macro Virus
VrTechnoCode
- Word 7.0                                        Version 1.1
- Stealth Technology
- Infect Documents and Templates
Copyright by John Great from Russia Far East, Khabarovsk'1999

The virus contains another payload routine - on printing the virus with probability 20 percents sends to printer the content of the "Autoexec.bat" file instead of active document.

The virus code contains comment:

'-------------------------------------------------------'
'  VR 义蹴铍钽? v1.1 by John Great from Russia (C)'99  '
'-------------------------------------------------------'

Techno.c

This is the next generation of the virus. There are several minor changes in the code. The password for infected documents in this virus version has been changed to "Mirochka".

previous:Virus.MSWord.Tear
previous:Virus.MSWord.Tele-Sex

Virus Source from:

New articles

RedCrossAntivirusRedCrossAntivirus carries out the following actions: When it is run, it connects to the website http://85.231.174/inst.php?id=and the program st...Virus.MSWord.HassleThis is a encrypted virus containing 7 macros:NORMAL.DOTInfected files AutoExecAutoClose FileSaveAsToolsMacro ToolsMacroMicrosoft01 Microsoft05Microsoft02 Micro...Virus.MSWord.HilightThis is an encrypted macro virus. It contains two macros that have different names in documents and NORMAL.DOT:DocumentsNORMAL.DOT AutoOpenAutoExec PrezentItFil...Virus.MSWord.HeaderThis virus contains 3 macros:DocumentsNORMAL.DOT AutoOpenao fsFileSave fsaFileSaveAsThe virus infects the system area on opening an infected document (AutoOpen)...Virus.MSWord.HiacThis macro virus does not manifest itself in any way. It contain two macros in infected documents and NORMAL.DOT:DocumentsNORMAL.DOT ------------------- AutoClo...

Hot Articles

Virus.MSWord.Techno

Computer Virus Clounds