Virus.MSWord.Friends

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:

• file viruses
• boot sector viruses
• macro viruses
• script viruses

Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: MSWord

Microsoft Word (MS Word) is a popular word processor and part of Microsoft Office. Microsoft Word files have a .doc or .docx extension.

Description

Technical Details

This is encrypted virus containing 20 macros:

AutoOpen, AutoExec, DateiÖffnen, DateiNeu, DateiSchlie�en, DateiBeenden,
Talk, Fast, Abbrechen, Infizieren, DateiSpeichern, DateiSpeichernUnter,
FileOpen, FileNew, FileExit, Cancel, FileSave, FileSaveAs, ExtrasMakro,
ExtrasMacro

It infects the files that are accessed in several ways - creating, opening and closing. The virus creates [Friends] section in WIN.INI file and writes the string to there:

Author=Nightmare Joker

The virus in some cases also calls "Fast" and "Talk" macros.

Macro "Fast" depending on the system timer creates the FAST.COM file infected by DOS virus "LittleBrother.395". To do that the virus writes the virus hexadecimal dump to disk file C:DOSFAST.SCR, creates and writes the commands

@echo off"
debug < fast.scr > nul
@echo off"
fast.com"

to C:DOSSTART.BAT file and runs this BAT file. Being executed, START.BAT runs DEBUG.EXE and created infected FAST.COM file (DOS virus dropper). The virus then deletes the files START.BAT and FAST.SCR, and overwrites the C:AUTOEXEC.BAT with the commands that run virus dropper on DOS loading:

@echo off
c:dosfast.com

Macro "Talk" depending on "sCurrency" MS Word variable displays the message boxes in English or German and gets the text string ("My name is:" input):

Hallo mein Freund!
Ich bin der << Friends >> Virus und wie hei�t du? Gib doch bitte
anschlie�end unten deinen Namen ein:
Hello my Friend!"
I'm the << Friends >> Virus and how are you? Can you give me your name,
please:
Mein Name ist:
My name is:
Also [name] ich habe eine gute und eine schlechte Nachricht für
dich! Die schlechte Nachricht ist, da� ich mich auf deiner Platte
eingenistet habe und die gute ist, da� ich aber ein freundlicher und auch
nützlicher Virus bin. Drücke bitte OK f�r Weiter!
Wenn du mich nicht killst, dann füge ich ein Programm in deine
Autoexec.bat ein, da� deine lame Tastatur etwas auf Touren bringt. Also
[name], gib dir einen Ruck und kill mich nicht. Goodbye!
Hello [name] I have a good and a bad message for you! The bad message is
that you have now a Virus on your Harddisk and the good message is that
I'm harmless and useful. Press OK!
If you don't kill me, I will insert a programme in your AutoExec.bat thats
your Keyboard accelerated. Please [name] don't kill me. Goodbye!

where [name] is the string entered in "My name is:/Mein Name ist:".

When extracting macros menu items are run (macros "ExtrasMacro" or "ExtrasMakro") the virus displays the message boxes:

Hello my friend!           << Friends >> Virus
You can't do that!         I'm very anxious!
Hallo mein Freund!         << Friends >> Virus
Du kannst das nicht tun!   Ich bin sehr ängstlich!

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com