Class Virus
Platform MSWord

Technical Details

This is encrypted virus. It contains the macros: AutoOpen, InsertPBreak,
DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus
renames the ToolsRepaginat macros to FileSave, and then infects the
existing documents that are saved on disk (FileSave). While infecting the
documents the virus renames FileSave macro back to ToolsRepaginat name.

While infecting the system the virus inserts the string “QLHot=nnnn” into
the WINWORD6.INI file, where “nnnn” is the “triggering day”, it is the
number of current day of this century plus 14, for example:


The next days the virus selects random value from 1 till 6, and adds to the
“triggering day”. If the result is equal to the current day, the virus
deletes the file before saving it to disk.

14 days after last modifying of the “QLHot” string the virus renews it.

The virus does no action if there is the C:DOSEGA5.CPI file.

The virus does not work under Microsoft Word 7.0. While opening the
infected document the system displays the message:

Unable to load specified library

Find out the statistics of the threats spreading in your region