Kaspersky Threats

Class

Platform

Description

Technical Details

It is an encrypted Word macro virus, it contains nine macros:



Document        NORMAL.DOT

FileClose       FC

AutoOpen        NOpen

FileSave

7 other         FileSaveAs

with random     FilePrint

names           FilePrintDefault

FileTemplates

ToolsMacro

FileExit

PCGURU4

It infects global macros area on opening or closing an infected document
(AutoOpen, FileClose). It infects documents on saving and saving with new
name (FileSave, FileSaveAs). While infecting documents the virus stores
renames its macros (see above) with random names and saves references to
them to document’s variables.

On October 23rd on printing documents the virus appends to the end of
documents the message:



NAENBGOURSG

Hello from GREECE

On October 24th the virus creates and spawns the PCGURU4.BAT file that
contains the instructions:



@echo off

Rem PcGuru4 virus by NAENBGOURSG

Rem Golden Version 4.3

type PcGuru4.bat >> PcGuru4.bat

Class	Virus
Platform	MSWord
Description	Technical Details It is an encrypted Word macro virus, it contains nine macros: Document NORMAL.DOT FileClose FC AutoOpen NOpen FileSave 7 other FileSaveAs with random FilePrint names FilePrintDefault FileTemplates ToolsMacro FileExit PCGURU4 It infects global macros area on opening or closing an infected document (AutoOpen, FileClose). It infects documents on saving and saving with new name (FileSave, FileSaveAs). While infecting documents the virus stores renames its macros (see above) with random names and saves references to them to document’s variables. On October 23rd on printing documents the virus appends to the end of documents the message: NAENBGOURSG Hello from GREECE On October 24th the virus creates and spawns the PCGURU4.BAT file that contains the instructions: @echo off Rem PcGuru4 virus by NAENBGOURSG Rem Golden Version 4.3 type PcGuru4.bat >> PcGuru4.bat

Virus.MSWord.Angus

Technical Details