Trojan.MSWord.Tvangeste

Technical Details

This is a Trojan horse written as a MS Word97 macro-program. When it is
activated, it appends to the end of a AUTOEXEC.BAT file a set of commands
that delete all data on the C:,D:,E: drives. It then displays the following messages:

World War starting now!

Tvangeste v 1.0

3rd World War

It then goes into an endless loop displaying the following message:

3rd World War

Macro.Word97.Trojan.Tvangeste.b

This macro-Trojan saves the copy of an infected document with the name
“C:Program FilesMicrosoft Office?�”–�kafeln.dot” and appends to the
end of AUTOEXEC.BAT file the commands:

cd C:Program FilesMicrosoft Office?�”–�del normal.dot

ren kafeln.dot normal.dot

In this way, this Trojan tries to replace a normal template with an infected one,
but it works only in case the Russian version of MS Word is installed, and
the templates directory is “C:Program FilesMicrosoft Office?�”–�”.

The Trojan also appends to the AUTOEXEC.BAT file the commands:

md c:atp_tour

md c:atp_tourkafelnik.001

md c:atp_toursampras.002

md c:atp_tourcorretja.003

md c:atp_tourrafter.004

md c:atp_tourmoya.006

md c:atp_tourhenman.007

md c:atp_tourrios.008

md c:atp_tourphilipou.009

md c:atp_tourkucera.010

md c:atp_tourkrajicek.005

subst k: c:atp_tour >nul

Then it displays messages in Russian and:

Tvangeste v 2.0

Kafelnikov