Kaspersky Threats

Class

Platform

Description

Technical Details

This is the encrypted Word macro virus. It contains six macros in
documents: Autoexec, AutoOpen and four macros with random names. The
infected NORMAL.DOT contains eight macros: AutoClose, ToolsMacro,
FileTemplates, Organizer and four macros with random selected names.

The virus infects the global macros area (NORMAL.DOT) on opening an
infected document (AutoOpen) and writes itself to documents that are closed
(AutoClose). The names of random named macros the virus saves in document’s
variables (in case of infected document) or in the WIN.INI file in the
[Intl] section in strings Here_1, Here_2, e.t.c (in case of NORMAL.DOT).
The virus detects itself in the system by the string “I_am_Here” in the
[Intl] section.

On 11th of any month the virus displays the MessageBox:



Episode 2: TenFaces [the series continue…]

The 10Faces is back! hey AVers the name is 10Faces!!

not Mercy.A -(c)reator of NoMercy-

The virus contains the commented text:



Hiya Pyro are you decrypt again !

I don’t borrow the code from “Outlaw” anymore

(it’s now original)

this random code is smaller than before and better randomize result

Using Simple-Little-Fast -random generator

Thankz to ya Pyro without your critics this never happen

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details This is the encrypted Word macro virus. It contains six macros in documents: Autoexec, AutoOpen and four macros with random names. The infected NORMAL.DOT contains eight macros: AutoClose, ToolsMacro, FileTemplates, Organizer and four macros with random selected names. The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are closed (AutoClose). The names of random named macros the virus saves in document’s variables (in case of infected document) or in the WIN.INI file in the [Intl] section in strings Here_1, Here_2, e.t.c (in case of NORMAL.DOT). The virus detects itself in the system by the string “I_am_Here” in the [Intl] section. On 11th of any month the virus displays the MessageBox: Episode 2: TenFaces [the series continue…] The 10Faces is back! hey AVers the name is 10Faces!! not Mercy.A -(c)reator of NoMercy- The virus contains the commented text: Hiya Pyro are you decrypt again ! I don’t borrow the code from “Outlaw” anymore (it’s now original) this random code is smaller than before and better randomize result Using Simple-Little-Fast -random generator Thankz to ya Pyro without your critics this never happen
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Mercy

Technical Details