Kaspersky Threats

Class

Platform

Description

Technical Details

This encrypted macro virus contains three macros: Magnum, ToolsMacro,
ExtrasMakro. The virus does not have any auto-macro, but gets control in
another way. While infecting a document or global macros area the virus
copies its macros to there and assigns the SPACE key with “Magnum” macro.
MS Word saves such information and restores it on loading global macros or
opening an infected document.

As a result, when MS Word is opening an infected document or loading global
macros, it sets “Magnum” macro as routine that will be executed on SPACE
keystroke.

After infecting global macros the virus displays a message box with the text:



MaGnUm

The ToolsMacro and ExtrasMakro macros are there to hide the virus in system
– on selecting Tool/Macro the virus displays dummy menu that on any item
(except CANCEL) displays the error messages:



WordBasic Err = 7

Not enough memory!

WordBasic Err = 7

Nicht genügend Arbeitsspeicher!

The virus drops the DOS virus “HLLO.Havoc” by using the trick with
DEBUG utility – writes hexadecimal virus dump to disk and runs DEBUG to
convert it to DOS executable file HTC.COM. Then the virus appends to the
end of the C:AUTOEXEC.BAT file the commands:



@echo off

htc.com

cls

and then creates and writes to system profile (WIN.INI) the text:



[DosVirus]

Installed=Yes

On April 13 it creates the NORMAL.DOT file and writes the strings to there:



Schon mal im blasen Mondlicht mit dem Teufel getanzt?

;-))

The Magnum Virus!  NJ 1996

Class	Virus
Platform	MSWord
Description	Technical Details This encrypted macro virus contains three macros: Magnum, ToolsMacro, ExtrasMakro. The virus does not have any auto-macro, but gets control in another way. While infecting a document or global macros area the virus copies its macros to there and assigns the SPACE key with “Magnum” macro. MS Word saves such information and restores it on loading global macros or opening an infected document. As a result, when MS Word is opening an infected document or loading global macros, it sets “Magnum” macro as routine that will be executed on SPACE keystroke. After infecting global macros the virus displays a message box with the text: MaGnUm The ToolsMacro and ExtrasMakro macros are there to hide the virus in system – on selecting Tool/Macro the virus displays dummy menu that on any item (except CANCEL) displays the error messages: WordBasic Err = 7 Not enough memory! WordBasic Err = 7 Nicht genügend Arbeitsspeicher! The virus drops the DOS virus “HLLO.Havoc” by using the trick with DEBUG utility – writes hexadecimal virus dump to disk and runs DEBUG to convert it to DOS executable file HTC.COM. Then the virus appends to the end of the C:AUTOEXEC.BAT file the commands: @echo off htc.com cls and then creates and writes to system profile (WIN.INI) the text: [DosVirus] Installed=Yes On April 13 it creates the NORMAL.DOT file and writes the strings to there: Schon mal im blasen Mondlicht mit dem Teufel getanzt? ;-)) The Magnum Virus! NJ 1996

Virus.MSWord.Magnum

Technical Details