Virus.MSWord.Blaster

Class Virus
Platform MSWord
Description

Technical Details

This is a dangerous macro-virus. Also known as Cont. It infects global a macro area upon opening an infected document.
Other documents are infected upon closing. The infecting routine locates the virus’ procedures
“Document_Close” and “Document_Open” separately, and stores them on the
disk file C:CONT.DBL. When a victim’s document is being infected, the
infection routine adds the virus code from this file (C:CONT.DBL) to
a document, without destroying the document’s macros. The exception are macros with the same
names as the virus procedures contain, making the virus even stealthier.

In one case out of two, the virus changes a document’s summary information to:

Title=”Macro Carrier”
Author=”Dream Blaster”
Keywords=”Minny”

The virus’ payload routine activates on the 17th of each month. It looks for
the disk file “C:MINNY.LOG” that also has a “hidden” and “read only” attributes
set. If such a file does not exist, the virus appends to the AUTOEXEC.BAT file
several commands that destroy all files and folders on drives C:, D:, E:
and F: upon next computer rebooting.