Kaspersky Threats

Class

Platform

Description

Technical Details

This is an encrypted macro virus. It contains 21 macros: CUS, EOP, ESA,
NIZ, PLT, WEV, CROM, CUST, ESAA, INFO, MESSA, WATCH, BEEPER, README,
AutoExec, AutoOpen, FileOpen, FileSave, FileSaveAs, TheVWarning, POO.

The virus infects the system on opening an infected document – it copies
this document with new name THEVWARN.ING to Word Startup-Path and
User-Dot-Path. As a result the virus will activate each time Word will
start (Word reads and loads templates from Startup-Path and User-Dot-Path).
The virus also infects the global macro area. The documents get infection
on opening and closing.

Depending on the current time the virus hooks timer and sets on timer the
BEEPER macro. It also runs the OOP macro (it is renamed POO) that on
pressing Alt-Ctrl-Shift-K is runs the TheVWarning macro. TheVWarning macro
in one minute runs the WATCH macro. The WATCH macro renames the macros:



OEX  – AutoExec

OOP1 – AutoOpen

EOP  – FileOpen

ESA  – FileSave

ESAA – FileSaveAs

NIZ  – Organizer

CROM – ToolsMacro

PLT  – FileTemplates

CUS  – ToolsCustomize

CUST – ToolsCustomizeToolbar

WEV  – ViewToolbars

The BEEPER macro beeps and displays the MessageBox:



I am so sorry. I do not mine it to disturb You.

But maybe … there is something that You have to do! 

THE ‘V’ WARNING

The MESSA macry displays the message:



THE ‘V’ WARNING MESSAGE

Sorry to interrupt You. I think You are tired,

because You have worked until midnight.

so I suggest You to go to bed now and

tomorrow You could work harder than this day.

Kota Pelajar, Yogyakarta.

Class	Virus
Platform	MSWord
Description	Technical Details This is an encrypted macro virus. It contains 21 macros: CUS, EOP, ESA, NIZ, PLT, WEV, CROM, CUST, ESAA, INFO, MESSA, WATCH, BEEPER, README, AutoExec, AutoOpen, FileOpen, FileSave, FileSaveAs, TheVWarning, POO. The virus infects the system on opening an infected document – it copies this document with new name THEVWARN.ING to Word Startup-Path and User-Dot-Path. As a result the virus will activate each time Word will start (Word reads and loads templates from Startup-Path and User-Dot-Path). The virus also infects the global macro area. The documents get infection on opening and closing. Depending on the current time the virus hooks timer and sets on timer the BEEPER macro. It also runs the OOP macro (it is renamed POO) that on pressing Alt-Ctrl-Shift-K is runs the TheVWarning macro. TheVWarning macro in one minute runs the WATCH macro. The WATCH macro renames the macros: OEX – AutoExec OOP1 – AutoOpen EOP – FileOpen ESA – FileSave ESAA – FileSaveAs NIZ – Organizer CROM – ToolsMacro PLT – FileTemplates CUS – ToolsCustomize CUST – ToolsCustomizeToolbar WEV – ViewToolbars The BEEPER macro beeps and displays the MessageBox: I am so sorry. I do not mine it to disturb You. But maybe … there is something that You have to do! THE ‘V’ WARNING The MESSA macry displays the message: THE ‘V’ WARNING MESSAGE Sorry to interrupt You. I think You are tired, because You have worked until midnight. so I suggest You to go to bed now and tomorrow You could work harder than this day. Kota Pelajar, Yogyakarta.

Virus.MSWord.Messa

Technical Details