Virus.MSWord.Milicrypt

Class Virus
Platform MSWord
Description

Technical Details


This virus contains 7 macros: ToolsMacro, Sel, FileSave, FileSaveAs, Mili,
Crypt, AutoOpen. The virus contains the “copyright” string:


MiliCrypt (C) 1998 by CyberYoda [SLAM]

Infection routines are placed in Mini macro (in documents) or Crypt (in
NORMAL.DOT). The virus infects the global macros area on opening an
infected document. The document are infected on saving or saving with new
name.


On saving documents on disk (FileSave, FileSaveAs) the virus encrypts their
contents, and decrypts it on opening (AutoOpen). The encryption key is
stored in AutoOpen macro description. As a result while editing the
documents are not encrypted, but they have encrypted on disk – the virus
realizes on-the-fly en/decryption for infected documents. After cleaning
virus macros (disinfecting) documents stays encrypted and useless, so
before disinfection that is necessary to save documents contents to some
other non-Word-document format (text or RTF).