Kaspersky Threats

Class

Platform

Description

Technical Details

These are semi-polymorphic macro viruses – while infecting a file they copy
their three macros with random selected names, so there are no fixed set
for macros’ names in infected files and NORMAL.DOT.

To realize this semi-polymorphism the virus uses system random counter and
timer – while selecting new name for macro the virus sets the first letter
in name depending on current hour: 1 – ‘A’, 2 – ‘B’, 3 – ‘C’ and so on,
and then appends four random selected digits. As a result random selected
names look like: O8493, O7920, O9259, or M8064, M8908, M8151.

Other version of this virus may use other schemes to build the names,
“Outlaw.Goodbye” also starts the macro names according to current hour, but
uses other set of letters: 1 – ‘AZ’, 2 – ‘BY’, 3 – ‘CX’, and so on.

There are no auto-macros in virus, and to get control the virus assigns its
macros with keystrokes: SPACE key – macros that infects global macros area,
‘E’ key – macros that infects current document.

To get the name of current macro while copying it and to run its payload
macro the virus uses two ways. To get its names from a document the virus
creates three variables in document: VirNameDoc, VirName, VirNamePayload,
and saves there current names while infecting. In case of need the virus
gets these names from there.

To get the names in case of NORMAL.DOT (global macros area) the virus
creates three records containing current names in System Profile (WIN.INI
file) in [Intl] section, these strings are:



[Intl]

Name=

Name2=

Name3=

On January 20 original “Outlaw” virus runs its trigger routine. Under
Windows95 and depending on several other conditions the virus plays a sound
– it drops LAUGH.WAV file and plays it (this file contains recorded laugh).
The virus also inserts in current document the strings:



You are infected with

Outlaw

A virus from Nightmare Joker

There is an encrypted variant of original “Outlaw” – the “Outlaw.b” virus.

“Outlaw.Black” contains two macros with 8-letters random names (for example
– DIJRCJCY, DOFYBPIT). This virus displays the message box:



BlackKnight

“Outlaw.Goodbye” is encrypted, plus to three random-named macros it
contains two “stealth” macros – ToolsMacro and ExtrasMakro. While selecting
Tools/Macro menu the virus shows “dummy” menus and displays error messages
in the same way the Magnum virus does.

On October 10 this virus drops and runs “VLAD.Goodbye” DOS virus, creates
new template and writes the text to there:



You are infected with the MooNRaiDer Virus!

Greetings to all members of Vlad!

I hope that’s not the end!

The scene would be to boring without this very good group!

Nightmare Joker

This virus then creates SystemProfile section (WIN.INI file):



[Vlad]

Goodbye=Yes

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details These are semi-polymorphic macro viruses – while infecting a file they copy their three macros with random selected names, so there are no fixed set for macros’ names in infected files and NORMAL.DOT. To realize this semi-polymorphism the virus uses system random counter and timer – while selecting new name for macro the virus sets the first letter in name depending on current hour: 1 – ‘A’, 2 – ‘B’, 3 – ‘C’ and so on, and then appends four random selected digits. As a result random selected names look like: O8493, O7920, O9259, or M8064, M8908, M8151. Other version of this virus may use other schemes to build the names, “Outlaw.Goodbye” also starts the macro names according to current hour, but uses other set of letters: 1 – ‘AZ’, 2 – ‘BY’, 3 – ‘CX’, and so on. There are no auto-macros in virus, and to get control the virus assigns its macros with keystrokes: SPACE key – macros that infects global macros area, ‘E’ key – macros that infects current document. To get the name of current macro while copying it and to run its payload macro the virus uses two ways. To get its names from a document the virus creates three variables in document: VirNameDoc, VirName, VirNamePayload, and saves there current names while infecting. In case of need the virus gets these names from there. To get the names in case of NORMAL.DOT (global macros area) the virus creates three records containing current names in System Profile (WIN.INI file) in [Intl] section, these strings are: [Intl] Name= Name2= Name3= On January 20 original “Outlaw” virus runs its trigger routine. Under Windows95 and depending on several other conditions the virus plays a sound – it drops LAUGH.WAV file and plays it (this file contains recorded laugh). The virus also inserts in current document the strings: You are infected with Outlaw A virus from Nightmare Joker There is an encrypted variant of original “Outlaw” – the “Outlaw.b” virus. “Outlaw.Black” contains two macros with 8-letters random names (for example – DIJRCJCY, DOFYBPIT). This virus displays the message box: BlackKnight “Outlaw.Goodbye” is encrypted, plus to three random-named macros it contains two “stealth” macros – ToolsMacro and ExtrasMakro. While selecting Tools/Macro menu the virus shows “dummy” menus and displays error messages in the same way the Magnum virus does. On October 10 this virus drops and runs “VLAD.Goodbye” DOS virus, creates new template and writes the text to there: You are infected with the MooNRaiDer Virus! Greetings to all members of Vlad! I hope that’s not the end! The scene would be to boring without this very good group! Nightmare Joker This virus then creates SystemProfile section (WIN.INI file): [Vlad] Goodbye=Yes
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Outlaw

Technical Details