Kaspersky Threats — Archfiend

Class

Platform

Description

Technical Details

This Word macro virus contains six macros: AutoExec, AutoOpen, FileOpen,
ArchFiend, FileSaveAs, ToolsMacro (stealth). The virus infects the global
macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and
writes itself to documents that are saved with new name (FileSaveAs).

On 5th of any month the virus: on Macintosh erases all files and displays
the MessageBox:



ArchFiend

On PC it erases BMP files in Windows directory (C:WINDOWS*.BMP) and
creates the FIEND.TXT there containing the text:



##################

## WM.ArchFiend ##

##################

Nrsi:lshoi:m{{i:mhsnn t:st:St~ut is{{;

XOR by 1ah

Your Unlucky Number is: < ½  á ¡«Ñ  ¿ ½«>

While saving a document with new name, if current time is 13 seconds, the
virus sets for the document a random selected password. On entering the
Tools/Macro menu the virus writes to the C:AUTOEXEC.BAT file the command:



echo BLOW ME!

Class	Virus
Platform	MSWord
Description	Technical Details This Word macro virus contains six macros: AutoExec, AutoOpen, FileOpen, ArchFiend, FileSaveAs, ToolsMacro (stealth). The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name (FileSaveAs). On 5th of any month the virus: on Macintosh erases all files and displays the MessageBox: ArchFiend On PC it erases BMP files in Windows directory (C:WINDOWS*.BMP) and creates the FIEND.TXT there containing the text: ################## ## WM.ArchFiend ## ################## Nrsi:lshoi:m{{i:mhsnn t:st:St~ut is{{; XOR by 1ah Your Unlucky Number is: < ½ á ¡«Ñ ¿ ½«> While saving a document with new name, if current time is 13 seconds, the virus sets for the document a random selected password. On entering the Tools/Macro menu the virus writes to the C:AUTOEXEC.BAT file the command: echo BLOW ME!

Virus.MSWord.Archfiend

Technical Details