Kaspersky Threats

Class

Platform

Description

Technical Details

This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module.

It has seven subroutines:

AutoOpen 
AutoClose 
FuckThemAll 
ToolsMacro 
ToolsCustomize 
ViewVBCode 
Delay

The virus replicates when a document is opened or closed.

AutoOpen, AutoClose:

These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine.

Delay:

This macro causes the system to pause before a message window is shown.

For i = 0 To 19170000
Next

FuckThemAll:

Main virus routine. Checks system parameter ‘Country’ and if this is ‘US’ , it then then runs the command shell:

"c:command.com C echo y | del " + Environ("windir") + "system*.* > nul"

After that the virus sets the following parameters:

.SaveNormalPrompt = False 
.VirusProtection = False 
.AllowFastSave = True 
.BackgroundSave = True

The virus checks for the presence in the active document (or normal.dot)
of the ‘RedTerrorist’ module. Repeated infection will not occur. If the module is not found, the virus creates an export file ‘user.vxd’ in %windir%%temp% catalogue and infects the document. After that the virus removes the export file ‘user.vxd’

ToolsCustomize, ToolsMacro, ViewVBCode:

These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes:

ToolsMacro:

Top level process aborted, cannot continue

ToolsCustomize

Configuration too large for memory

ViewVBCode

Error in EXE file, program too big to fit in memory

Class	Virus
Platform	MSWord
Description	Technical Details This is a non-polymorphic Word virus. The virus resides in the RedTerrorist module. It has seven subroutines: AutoOpen AutoClose FuckThemAll ToolsMacro ToolsCustomize ViewVBCode Delay The virus replicates when a document is opened or closed. AutoOpen, AutoClose: These procedures only call the main infection routine of the virus, which is in the FuckThemAll routine. Delay: This macro causes the system to pause before a message window is shown. For i = 0 To 19170000 Next FuckThemAll: Main virus routine. Checks system parameter ‘Country’ and if this is ‘US’ , it then then runs the command shell: "c:command.com C echo y \| del " + Environ("windir") + "system. > nul" After that the virus sets the following parameters: .SaveNormalPrompt = False .VirusProtection = False .AllowFastSave = True .BackgroundSave = True The virus checks for the presence in the active document (or normal.dot) of the ‘RedTerrorist’ module. Repeated infection will not occur. If the module is not found, the virus creates an export file ‘user.vxd’ in %windir%%temp% catalogue and infects the document. After that the virus removes the export file ‘user.vxd’ ToolsCustomize, ToolsMacro, ViewVBCode: These three routines are used for stealth; when executed they call the Delay routine and display Message Boxes: ToolsMacro: Top level process aborted, cannot continue ToolsCustomize Configuration too large for memory ViewVBCode Error in EXE file, program too big to fit in memory

Virus.MSWord.Redter

Technical Details

AutoOpen, AutoClose:

Delay:

FuckThemAll:

ToolsCustomize, ToolsMacro, ViewVBCode: