Virus.MSWord.Kiffer

Class Virus
Platform MSWord
Description

Technical Details


This is German-specific Word macro virus. It contains six macros, some
macros have random selected names:


Documents MICROSOFT.DOT (infected Word)
dateispeichernunter
extrasmakro extrasmakro
dateischliexen
dateidokvorlagen dateidokvorlagen

autoopen

It infects the system on opening and on closing an infected document. To
affect Word the virus creates the infected MICROSOFT.DOT template in
the Word startup path. Documents get infected when saved with a new name.


The infection-routine is placed in a macro with a random name. This macro is
encrypted in documents and is decrypted in case of need. The names of
macros (random names) are stored in documents’ variables (in case of
documents), in case of MICROSOFT.DOT file (infected system) they are stored
in the WIN.INI file in the section [embedding] in the items vxdRNDM,
TaskRNDM, SystemRNDM.


On the 30th of any month the virus displays the message:


Leeglize Cannabis !! R.M.M (C) by MaD KiFFeR 05.09.98

On the 15th the virus appends to the AUTOEXEC.BAT file the commands that
cyclically display the text:

Infected with RnDm MuTanT MuTaGeN (c) MaD KiFFeR 05.09.98

The virus contains the comments:

***********************************
* WM RnDm MuTaNt MuTaGeN *
* vers Beta *
* Polymorphism/Stealth *
* encrypted by RMEG *
*Random Macro Encryption Generator*
* fools F/WIN32 1.13, F/WIN 4.38 *
* Winguard, F-PROT3/F-MacroW1.1 *
* etc.!! *
* only works with WORD95ger *
* F**k slow WordBasic *
* special Thanx to [SLAM] Mag *
* 05.09.98 /Germany *
* (c)by MaD KiFFer *
***********************************