Kaspersky Threats

Class

Platform

Description

Technical Details

This is an encrypted Word macro virus. It contains ten macros: Killer,
AutoExec, AutoOpen, DocClose, FileOpen, FileSave, AutoClose, FileSaveAs,
ListMacros, ToolsMacro.

The virus replicated on opening an infected document, saving and saves with
new name. The replication routine presents only in one macro Killer, other
macros call it to spread the virus. The infection subroutine in the virus
is named “MENTES”.

The virus author leaves a possibility of self-destruction: if the MY.INI
file exists in Windows directory, and it contains the section [Word Info]
with the “Kod=aaa” string inside, the virus disables its infection routine
and removes all its macros.

The virus is able to “steal” documents when they are saved. To do that the
virus writes the C:LOGIN.SYS file name of closed document, current date,
time and contents of the document. It then connects the
\HS_WORKHCOMMONSTUDENTTEMP disk and moves to it the C:LOGIN.SYS file
to the first logical drive that is write-enabled. The name of new file is
ARCHIVE.A??, where ‘??’ is number from “10” till “50”. This file name is
also saved to the PROG.INI file on the same disk.

On entering the List/Macros and Tools/Macro Word menus the virus displays
the MessageBox and cancels execution of original macros viewing routines
(stealth):



Macro function is not installed.

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details This is an encrypted Word macro virus. It contains ten macros: Killer, AutoExec, AutoOpen, DocClose, FileOpen, FileSave, AutoClose, FileSaveAs, ListMacros, ToolsMacro. The virus replicated on opening an infected document, saving and saves with new name. The replication routine presents only in one macro Killer, other macros call it to spread the virus. The infection subroutine in the virus is named “MENTES”. The virus author leaves a possibility of self-destruction: if the MY.INI file exists in Windows directory, and it contains the section [Word Info] with the “Kod=aaa” string inside, the virus disables its infection routine and removes all its macros. The virus is able to “steal” documents when they are saved. To do that the virus writes the C:LOGIN.SYS file name of closed document, current date, time and contents of the document. It then connects the \HS_WORKHCOMMONSTUDENTTEMP disk and moves to it the C:LOGIN.SYS file to the first logical drive that is write-enabled. The name of new file is ARCHIVE.A??, where ‘??’ is number from “10” till “50”. This file name is also saved to the PROG.INI file on the same disk. On entering the List/Macros and Tools/Macro Word menus the virus displays the MessageBox and cancels execution of original macros viewing routines (stealth): Macro function is not installed.
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Mentes

Technical Details