Virus.MSWord.Archfiend

Class Virus
Platform MSWord
Description

Technical Details


This Word macro virus contains six macros: AutoExec, AutoOpen, FileOpen,
ArchFiend, FileSaveAs, ToolsMacro (stealth). The virus infects the global
macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and
writes itself to documents that are saved with new name (FileSaveAs).


On 5th of any month the virus: on Macintosh erases all files and displays
the MessageBox:


ArchFiend

On PC it erases BMP files in Windows directory (C:WINDOWS*.BMP) and
creates the FIEND.TXT there containing the text:

##################
## WM.ArchFiend ##
##################
Nrsi:lshoi:m{{i:mhsnn t:st:St~ut is{{;
XOR by 1ah
Your Unlucky Number is: < ½ á ¡«Ñ ¿ ½«>

While saving a document with new name, if current time is 13 seconds, the
virus sets for the document a random selected password. On entering the
Tools/Macro menu the virus writes to the C:AUTOEXEC.BAT file the command:

echo BLOW ME!