Virus.MSWord.Magnum

Class Virus
Platform MSWord
Description

Technical Details


This encrypted macro virus contains three macros: Magnum, ToolsMacro,
ExtrasMakro. The virus does not have any auto-macro, but gets control in
another way. While infecting a document or global macros area the virus
copies its macros to there and assigns the SPACE key with “Magnum” macro.
MS Word saves such information and restores it on loading global macros or
opening an infected document.


As a result, when MS Word is opening an infected document or loading global
macros, it sets “Magnum” macro as routine that will be executed on SPACE
keystroke.


After infecting global macros the virus displays a message box with the text:


MaGnUm

The ToolsMacro and ExtrasMakro macros are there to hide the virus in system
– on selecting Tool/Macro the virus displays dummy menu that on any item
(except CANCEL) displays the error messages:

WordBasic Err = 7
Not enough memory!
WordBasic Err = 7
Nicht genügend Arbeitsspeicher!

The virus drops the DOS virus “HLLO.Havoc” by using the trick with
DEBUG utility – writes hexadecimal virus dump to disk and runs DEBUG to
convert it to DOS executable file HTC.COM. Then the virus appends to the
end of the C:AUTOEXEC.BAT file the commands:

@echo off
htc.com
cls

and then creates and writes to system profile (WIN.INI) the text:

[DosVirus]
Installed=Yes

On April 13 it creates the NORMAL.DOT file and writes the strings to there:

Schon mal im blasen Mondlicht mit dem Teufel getanzt?
;-))
The Magnum Virus! NJ 1996