Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Virus
Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.Read more
Platform: MSOffice
Microsoft Office is a multiplatform suite of productivity applications published by Microsoft. Office applications are compatible with many types of files and content.Description
Technical Details
This macro virus infects two Office97 applications: Word documents and Excel sheets. To be compatible with different Office97 applications the virus uses VisualBasic compatibility and uses the same code in both Word and Excel.
The virus infects the system, documents and sheets when files are opened (auto-macros AutoOpen in Word and Auto_Open in Excel). While infecting the virus uses the export/import Office97 functions via the C:SHIVER.SYS file. It writes (exports) its code to there and then reads (imports) into an object that is being infected.
Under both Word and Excel the virus replicates itself by using standard tricks. While infecting Word files the virus copies its code to document or global macros area (NORMAL.DOT). Under Excel the virus hooks sheets activation process and sets the infection macros ShiverTime as the handler. The virus also saves the infected PERSONAL.XLS file in the Excel startup directory and as a result infects the system Excel area.
One leaving Word (AutoExit) the virus attempts to spread its code from Word to Excel. The virus uses the DDE functions: it runs Excel in minimized windows and pass to there data and commands necessary to create the infected PERSONAL.XLS file in the Excel startup directory. The virus infects Word from Excel by using similar way: it runs minimized Word, opens Visual Basic Editor and reads its code from the C:SHIVER.SYS file.
The virus does not delete its C:SHIVER.SYS file after infection and uses it to re-infect Word if the main virus code was deleted (disinfected) in documents and NORMAL.DOT. To do that the virus on each Word startup looks for WORD8.DOT file in the Word startup directory. If there is no such file, the virus creates it and writes a short FileSaveAs macro to there. This macro contains just a few commands that import the virus code from the C:SHIVER.SYS into documents that are saved with new name. As a result the virus stays active ever if all documents and NORMAL.DOT are disinfected. The virus uses the same export/import way to create the WORD8.DOT dropper, as a source code buffer the C:SENTRY.SYS file is used.
To detect its presence in the system the virus uses the system Registry and writes its ID-values into the key "HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsOffice8.0". There are two values that mark virus presence/absence in the system:
Shiver[DDE] = ALT-F11 Shiver[DDE] = NoNos(Depending on the system random counter the virus resets this key to "NoNos(" and forces its infection routines renew the infected WORD8.DOT and PERSONAL.XLS in the Word and Excel startup directories.
The Virus Internals
The virus contains 18 macros in one "Module1":AutoExec - Word auto-function, contains Word re-infection routine AutoOpen - Word auto-function, contains Word docs infection routine WordStealth - adds the stealth macros ToolsMacro, FileTemplates, ViewVBCode into the Word global macros (NORMAL.DOT) AutoExit - Word auto-function, infects Excel FindExcel - Excel searching routine PersonalFun - used on Excel infection CheckMarker - "Are you here?" function, checks the Registry MakeMarker - writes virus ID into the Registry PXL_Done - used on Excel infection Auto_Open - Excel auto-function, hooks the sheets activation routine ShiverTime - sheets activation hooker and infector wdTrigger - Word trigger routine xlTrigger - Excel trigger routine Auto_Close - Excel auto-function, spreads the virus to Word delay - used on Word infection wdReEvalInfection - looks for infected PERSONAL.XLS in Excel startup-dir xlReEvalInfection - looks for infected WORD8.DOT in Word startup-dir DDE_Info - do-nothing macro, contains the "copyright": Shiver[DDE] by ALT-F11 with help from ALT-F4 This is the first virus produced by The Alternative Virus Mafia (AVM) ALT-F4 - "I was born for dying" ALT-F11 - "Actions without thoughts"
Trigger routines
The virus has stealth abilities. Under Excel it disables the menu items Window/Unhide... and Tools/Macro. Under Word it also creates the stealth macros in the NORMAL.DOT: ToolsMacro, FileTemplates, ViewVBCode in the module "ThisDocument". As a result the virus hides its code. The virus also disables the Office97 virus protection.Depending on the system random counter the virus runs following effects:
- in Excel it inserts into random selected cell the comments:
Shiver[DDE] by ALT-F11
- in Word it creates the C:SISTER.DLL file, writes the text to there and
runs WRITE to show it:
Hey Man, I Kinda Like Your Sister Hey Man, I Hope That's Cool Hey Man, I Kinda Lose My Mind Every Single Time I Find Your Sister Suntanned By The Pool Hey Man, I Wanna See Her Naked Hey Man, I'm Always In Her Room All Alone When No One's There Going Through Her Underwear Hey Man, I Gotta See Her Soon Hey Man, I'll Never Get Her Pregnant But Hey Man, How Can I Resist Her The Day I Give Her A Wedding Band Are You Going To Be My Best Man? Hey Man, I Kinda Like Your Sister I Kinda Like Your Sister I Kinda Like Your Sister I Kinda Like Her
- in Word it renames the menu items:
Tools/Macro = "Shiver[DDE] by ALT-F11" File/Versions... = "Cum Stained Sheets..." Edit/Paste Special... = "Hey Man I Did Your Mom..." Insert/Break... = "Wanna do some MDMA ?" Help/About Microsoft Word = "Peace, Love and Drugs" File/Properties = "I'll die happy, you'll just die" Edit/Go To... = "Heywood Jablowmi" Tools/Word Count... = "Body Count" Format/Font... = "Cunt" File/Close = "No Clothes" Window/Split = "Blow Me" Insert/Picture = "Crusty Porn GIF" File/Print... = "My Balls Itch" Format/Bullets and Numbering... = "Pills And Needles" Table/Insert Table... = "Insert and Probe" Tools/Customize... = "Sodomize..." Tools/Spelling and Grammar... = "Spelling and Your Grandma..." View/Toolbars = "Gaybars" View/Master Document = "Masturbation"
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com