Kaspersky Threats

Class

Platform

Description

Technical Details

This is German-specific Word macro virus. It contains six macros, some
macros have random selected names:



Documents         MICROSOFT.DOT (infected Word)

          dateispeichernunter

extrasmakro       extrasmakro

dateischliexen    

dateidokvorlagen  dateidokvorlagen

          

autoopen

It infects the system on opening and on closing an infected document. To
affect Word the virus creates the infected MICROSOFT.DOT template in
the Word startup path. Documents get infected when saved with a new name.

The infection-routine is placed in a macro with a random name. This macro is
encrypted in documents and is decrypted in case of need. The names of
macros (random names) are stored in documents’ variables (in case of
documents), in case of MICROSOFT.DOT file (infected system) they are stored
in the WIN.INI file in the section [embedding] in the items vxdRNDM,
TaskRNDM, SystemRNDM.

On the 30th of any month the virus displays the message:



Leeglize Cannabis !! R.M.M  (C) by MaD KiFFeR 05.09.98

On the 15th the virus appends to the AUTOEXEC.BAT file the commands that
cyclically display the text:



Infected with RnDm MuTanT MuTaGeN (c) MaD KiFFeR 05.09.98

The virus contains the comments:



***********************************

*     WM RnDm MuTaNt MuTaGeN      *

*         vers Beta               *

*      Polymorphism/Stealth       *

*       encrypted by RMEG         *

*Random Macro Encryption Generator*

*  fools F/WIN32 1.13, F/WIN 4.38 *

*  Winguard, F-PROT3/F-MacroW1.1  *

*            etc.!!               *

*    only works with WORD95ger    *

*      F**k slow WordBasic        *

*   special Thanx to [SLAM] Mag   *

*       05.09.98 /Germany         *

*        (c)by MaD KiFFer         *

***********************************

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details This is German-specific Word macro virus. It contains six macros, some macros have random selected names: Documents MICROSOFT.DOT (infected Word) dateispeichernunter extrasmakro extrasmakro dateischliexen dateidokvorlagen dateidokvorlagen autoopen It infects the system on opening and on closing an infected document. To affect Word the virus creates the infected MICROSOFT.DOT template in the Word startup path. Documents get infected when saved with a new name. The infection-routine is placed in a macro with a random name. This macro is encrypted in documents and is decrypted in case of need. The names of macros (random names) are stored in documents’ variables (in case of documents), in case of MICROSOFT.DOT file (infected system) they are stored in the WIN.INI file in the section [embedding] in the items vxdRNDM, TaskRNDM, SystemRNDM. On the 30th of any month the virus displays the message: Leeglize Cannabis !! R.M.M (C) by MaD KiFFeR 05.09.98 On the 15th the virus appends to the AUTOEXEC.BAT file the commands that cyclically display the text: Infected with RnDm MuTanT MuTaGeN (c) MaD KiFFeR 05.09.98 The virus contains the comments: *********************************** * WM RnDm MuTaNt MuTaGeN * * vers Beta * * Polymorphism/Stealth * * encrypted by RMEG * Random Macro Encryption Generator * fools F/WIN32 1.13, F/WIN 4.38 * * Winguard, F-PROT3/F-MacroW1.1 * * etc.!! * * only works with WORD95ger * * F*k slow WordBasic * special Thanx to [SLAM] Mag * * 05.09.98 /Germany * * (c)by MaD KiFFer * ***********************************
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Kiffer

Technical Details