These are semi-polymorphic macro viruses – while infecting a file they copy
their three macros with random selected names, so there are no fixed set
for macros’ names in infected files and NORMAL.DOT.
To realize this semi-polymorphism the virus uses system random counter and
timer – while selecting new name for macro the virus sets the first letter
in name depending on current hour: 1 – ‘A’, 2 – ‘B’, 3 – ‘C’ and so on,
and then appends four random selected digits. As a result random selected
names look like: O8493, O7920, O9259, or M8064, M8908, M8151.
Other version of this virus may use other schemes to build the names,
“Outlaw.Goodbye” also starts the macro names according to current hour, but
uses other set of letters: 1 – ‘AZ’, 2 – ‘BY’, 3 – ‘CX’, and so on.
There are no auto-macros in virus, and to get control the virus assigns its
macros with keystrokes: SPACE key – macros that infects global macros area,
‘E’ key – macros that infects current document.
To get the name of current macro while copying it and to run its payload
macro the virus uses two ways. To get its names from a document the virus
creates three variables in document: VirNameDoc, VirName, VirNamePayload,
and saves there current names while infecting. In case of need the virus
gets these names from there.
To get the names in case of NORMAL.DOT (global macros area) the virus
creates three records containing current names in System Profile (WIN.INI
file) in [Intl] section, these strings are:
On January 20 original “Outlaw” virus runs its trigger routine. Under
Windows95 and depending on several other conditions the virus plays a sound
– it drops LAUGH.WAV file and plays it (this file contains recorded laugh).
The virus also inserts in current document the strings:
You are infected with
A virus from Nightmare Joker
There is an encrypted variant of original “Outlaw” – the “Outlaw.b” virus.
“Outlaw.Black” contains two macros with 8-letters random names (for example
– DIJRCJCY, DOFYBPIT). This virus displays the message box:
“Outlaw.Goodbye” is encrypted, plus to three random-named macros it
contains two “stealth” macros – ToolsMacro and ExtrasMakro. While selecting
Tools/Macro menu the virus shows “dummy” menus and displays error messages
in the same way the Magnum virus does.
On October 10 this virus drops and runs “VLAD.Goodbye” DOS virus, creates
new template and writes the text to there:
You are infected with the MooNRaiDer Virus!
Greetings to all members of Vlad!
I hope that’s not the end!
The scene would be to boring without this very good group!
This virus then creates SystemProfile section (WIN.INI file):