Virus.MSWord.Dot666

Class Virus
Platform MSWord
Description

Technical Details


This is a polymorphic German specific macro virus. It does not
manifest itself in any way. It contains three macros: AutoClose,
ExtrasMakro, DateiDokVorlagen.


AutoClose is auto-macro that is executed on closing any file. The virus
uses that hook to replicate itself on documents closing. ExtrasMakro and
DateiDokVorlagen are macros viewing/editing functions (File/Templates,
Tools/Macro) in German MS Word, they are stealth virus routines.


The virus has quite unusual stealth mechanism. On infecting the global
macros area it copies to NORMAL.DOT just one AutoClose macro. Two other
macros are written to the 666.DOT file that is placed in the Word startup
directory. When any of these macros takes control (on entering
File/Templates or Tools/Macro) the virus temporary moves its AutoClose from
NORMAL.DOT to the 666.DOT file. On leaving these functions the virus
restores AutoClose macro in the NORMAL.DOT. Thereby, the virus protects
itself from finding (stealth).


On each replication the virus runs its polymorphic mutation engine. It
randomly changes names of all virus variables and functions.