Virus.MSWord.Stryx

Class Virus
Platform MSWord
Description

Technical Details


This encrypted virus contains four macros:


NORMAL.DOT Infected files
DokumentSchlie�en DokumentSchlie�en
DateiSchlie�en DateiSchlie�en
Stryx1 StryxOne
Stryx2 StryxTwo

It infects the system on DokumentSchlie�en and DateiSchlie�en (FileClose
and DocClose).


On December 1st the virus creates the FUNNY.COM DOS trojan and runs it.
This trojan creates random named subdirectories on current disk. To drop
that trojan the virus saves to FUNNY.SCR file hexadecimal dump and converts
it to DOS executable by using DEBUG utility. To do that the virus creates
and executes FUNNY.BAT file:


@echo off
debug < funny.scr > nul
@echo off
Funny.com

By using similar way the virus drops the DRACHE.GIF file with an image of a
dragon. Then the virus creates new template, inserts this GIF into there
and adds the strings:

STRYX!!!!
Look at your HD! 🙂
Sorry, but it’s so funny!
NJ 1996