Virus.MSWord.Mercy

Class Virus
Platform MSWord
Description

Technical Details


This is the encrypted Word macro virus. It contains six macros in
documents: Autoexec, AutoOpen and four macros with random names. The
infected NORMAL.DOT contains eight macros: AutoClose, ToolsMacro,
FileTemplates, Organizer and four macros with random selected names.


The virus infects the global macros area (NORMAL.DOT) on opening an
infected document (AutoOpen) and writes itself to documents that are closed
(AutoClose). The names of random named macros the virus saves in document’s
variables (in case of infected document) or in the WIN.INI file in the
[Intl] section in strings Here_1, Here_2, e.t.c (in case of NORMAL.DOT).
The virus detects itself in the system by the string “I_am_Here” in the
[Intl] section.


On 11th of any month the virus displays the MessageBox:


Episode 2: TenFaces [the series continue…]
The 10Faces is back! hey AVers the name is 10Faces!!
not Mercy.A -(c)reator of NoMercy-

The virus contains the commented text:

Hiya Pyro are you decrypt again !
I don’t borrow the code from “Outlaw” anymore
(it’s now original)
this random code is smaller than before and better randomize result
Using Simple-Little-Fast -random generator
Thankz to ya Pyro without your critics this never happen