Virus.MSWord.Cristall

Class Virus
Platform MSWord
Description

Technical Details


This virus contains six macros: AutoNew, AutoExec, AutoOpen, CRIstall,
OutilsMacro, EditionInsertionAuto. It infects the global macros area on opening
an infected document (AutoOpen) and infects other documents on creating or
opening (AutoNew, AutoOpen).


Starting from May 10th 1998 depending on system random counter the virus
manifests itself with the effect:


  • either changes the font in current document for TimesNewRoman size 10;
  • or replaces character “e” with ” ” in document;
  • or calls one of the Web pages (if Internet Explorer is installed):

    http://user.tninet.se/~syq123w/CRACKZ.HTM

    http://nt3.nettaxi.com/citizens/kevinlee/crackz.html

    http://www.crackz.com

    http://www.sentex.net/~wizard/crackz.html

    http://www.c3.hu/~piiti/warez.html

    http://home.yezz.de/~hladek/warez.html

    http://www.sawasdee.com/patrick/crackz.htm

    http://ortugg.simplenet.com/crackz.html

    http://www.nehp.net/mabrwn/home__appz__gamez__crackz__links.htm

    http://hem2.passagen.se/ravez/crackz.htm

    http://www.cbes.net/~lperfect/warez/appz.html

    http://scriptz.habanero.ml.org/warez/

    http://home.yezz.de/~hladek/warez.html
  • or creates a query on www.altavista.digital.com with a parameter from the
    list:

    warez

    crackz

    pedophile

    gamez

    unix+near+brute+force

    mastercard+breaking

    serialz

    cracking+and+root+mode

    hacking

  • or deletes all *.INI and *.DA? files in C:WINDOWS directory;
  • or appends to the C:AUTOEXEC.BAT file a command that formats the hard
    drive.