Technical Details
This is an encrypted Word macro virus. It contains ten macros: Killer,
AutoExec, AutoOpen, DocClose, FileOpen, FileSave, AutoClose, FileSaveAs,
ListMacros, ToolsMacro.
The virus replicated on opening an infected document, saving and saves with
new name. The replication routine presents only in one macro Killer, other
macros call it to spread the virus. The infection subroutine in the virus
is named “MENTES”.
The virus author leaves a possibility of self-destruction: if the MY.INI
file exists in Windows directory, and it contains the section [Word Info]
with the “Kod=aaa” string inside, the virus disables its infection routine
and removes all its macros.
The virus is able to “steal” documents when they are saved. To do that the
virus writes the C:LOGIN.SYS file name of closed document, current date,
time and contents of the document. It then connects the
\HS_WORKHCOMMONSTUDENTTEMP disk and moves to it the C:LOGIN.SYS file
to the first logical drive that is write-enabled. The name of new file is
ARCHIVE.A??, where ‘??’ is number from “10” till “50”. This file name is
also saved to the PROG.INI file on the same disk.
On entering the List/Macros and Tools/Macro Word menus the virus displays
the MessageBox and cancels execution of original macros viewing routines
(stealth):
Macro function is not installed.
|