Kaspersky Threats

Class

Platform

Description

Technical Details

It is a stealth macro-virus. It contains twenty procedures in one module
“VrTechnoCode”: VrInstall, AutoOpen, AutoExec, FileOpen, FileNew,
FileNewDefault, FileSaveAs, FileSave, FileClose, DocClose, ViewVBCode,
ToolsMacro, FileTemplates, ToolsOptions, VrStealth, IsChance, FilePrint,
FilePrintDefault, AddOemInfo, CreateImageScreen.

The virus infects the global macros area on opening an infected document
and infects other documents on opening, creating and saving. On closing
a document, the virus sets the document protection type to
wdAllowOnlyFormFields that denies any changes in the document text except form
fields. On opening infected documents, the virus unprotects them, and on
closing, protects them again. As a result, after disinfection, documents will
stay protected. This protection may be removed manually by choosing the
menu Tools/Unprotect, password is “Elite”.

The virus turns off the Word virus protection (the VirusProtection option).
The virus’ stealth routine intercepts and prevents the opening of Visual Basic
Editor, Tools/Macro and File/Templates dialogue boxes. With a probability of one
in five, this routine displays MS Office Assistent with the message:



VR ���������� v1.0

Word Macro �����!!!

���� ��� ��  c 1999

The virus infecting routine, with probability of one in nine, creates, in the
“C:WindowsSystem” directory, the “oeminfo.ini” file with the text:



[General]

Manufacturer=���� ��� ��

Model=MS Word �����

[Support Information]

Line1=��������� ������� �������: VrTechno V1.1

Line2=

Line3=Word Macro Virus

Line4=John Great, ���� ��� �� – (C) ‘1999

With probability five percents the infection procedure inserts into
documents a graphic shapes with text:



Microsoft Word Macro Virus

VrTechnoCode

– Word 7.0                                        Version 1.1

– Stealth Technology

– Infect Documents and Templates

Copyright by John Great from Russia Far East, Khabarovsk’1999

The virus contains another payload routine – on printing the virus with
probability 20 percents sends to printer the content of the “Autoexec.bat”
file instead of active document.

The virus code contains comment:



‘——————————————————-‘

‘  VR ���������� v1.1 by John Great from Russia (C)’99  ‘

‘——————————————————-‘

Techno.c

This is the next generation of the virus. There are several minor changes in
the code. The password for infected documents in this virus version has been
changed to “Mirochka”.

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSWord
Description	Technical Details It is a stealth macro-virus. It contains twenty procedures in one module “VrTechnoCode”: VrInstall, AutoOpen, AutoExec, FileOpen, FileNew, FileNewDefault, FileSaveAs, FileSave, FileClose, DocClose, ViewVBCode, ToolsMacro, FileTemplates, ToolsOptions, VrStealth, IsChance, FilePrint, FilePrintDefault, AddOemInfo, CreateImageScreen. The virus infects the global macros area on opening an infected document and infects other documents on opening, creating and saving. On closing a document, the virus sets the document protection type to wdAllowOnlyFormFields that denies any changes in the document text except form fields. On opening infected documents, the virus unprotects them, and on closing, protects them again. As a result, after disinfection, documents will stay protected. This protection may be removed manually by choosing the menu Tools/Unprotect, password is “Elite”. The virus turns off the Word virus protection (the VirusProtection option). The virus’ stealth routine intercepts and prevents the opening of Visual Basic Editor, Tools/Macro and File/Templates dialogue boxes. With a probability of one in five, this routine displays MS Office Assistent with the message: VR �� v1.0 Word Macro ��!!! �� c 1999 The virus infecting routine, with probability of one in nine, creates, in the “C:WindowsSystem” directory, the “oeminfo.ini” file with the text: [General] Manufacturer=�� Model=MS Word �� [Support Information] Line1=�� : VrTechno V1.1 Line2= Line3=Word Macro Virus Line4=John Great, �� – (C) ‘1999 With probability five percents the infection procedure inserts into documents a graphic shapes with text: Microsoft Word Macro Virus VrTechnoCode – Word 7.0 Version 1.1 – Stealth Technology – Infect Documents and Templates Copyright by John Great from Russia Far East, Khabarovsk’1999 The virus contains another payload routine – on printing the virus with probability 20 percents sends to printer the content of the “Autoexec.bat” file instead of active document. The virus code contains comment: ‘——————————————————-‘ ‘ VR �� v1.1 by John Great from Russia (C)’99 ‘ ‘——————————————————-‘ Techno.c This is the next generation of the virus. There are several minor changes in the code. The password for infected documents in this virus version has been changed to “Mirochka”.
	Find out the statistics of the threats spreading in your region

Virus.MSWord.Techno

Technical Details

Techno.c