Virus.MSWord.SuperIIs

Class Virus
Platform MSWord
Description

Technical Details



This virus contains five macros in the module “Modul1”: AutoOpen (in
documents) or AutoClose (in NORMAL.DOT), ViewVbCode, ToolsMacro, Flitnic.
The virus infects the global macros area on opening an infected document
(AutoOpen), and copies itself to other documents on closing (AutoClose).


While infecting, the virus exports/imports its code via the FLITNIC.DRV file
that is created in the Windows system directory. The virus detects already
infected files by the text “‘MYNAME=SUPERIISV1.0” that presents in virus
code.


This is the stealth virus. On viewing macro code by using the ViewVbCode
function, the virus copies the infected NORMAL.DOT to the Windows system
directory with the LO.SYS name, creates and runs the DOS batch file LO.BAT
that in loop monitors presence of temporary Word file, i.e., waits for the
end of editing. This batch file then copies an infected LO.SYS file back to
the NORMAL.DOT. As a result, the virus is able “to survive” foreever if its code
is removed from the global macros area.


The virus contains the comments:



First ever used this kind of Stealth
Written by Flitnic. I haven’t yet included a payload!