Virus.MSWord.Techno

Class Virus
Platform MSWord
Description

Technical Details

It is a stealth macro-virus. It contains twenty procedures in one module
“VrTechnoCode”: VrInstall, AutoOpen, AutoExec, FileOpen, FileNew,
FileNewDefault, FileSaveAs, FileSave, FileClose, DocClose, ViewVBCode,
ToolsMacro, FileTemplates, ToolsOptions, VrStealth, IsChance, FilePrint,
FilePrintDefault, AddOemInfo, CreateImageScreen.

The virus infects the global macros area on opening an infected document
and infects other documents on opening, creating and saving. On closing
a document, the virus sets the document protection type to
wdAllowOnlyFormFields that denies any changes in the document text except form
fields. On opening infected documents, the virus unprotects them, and on
closing, protects them again. As a result, after disinfection, documents will
stay protected. This protection may be removed manually by choosing the
menu Tools/Unprotect, password is “Elite”.

The virus turns off the Word virus protection (the VirusProtection option).
The virus’ stealth routine intercepts and prevents the opening of Visual Basic
Editor, Tools/Macro and File/Templates dialogue boxes. With a probability of one
in five, this routine displays MS Office Assistent with the message:


VR ���������� v1.0
Word Macro �����!!!
���� ��� �� c 1999

The virus infecting routine, with probability of one in nine, creates, in the
“C:WindowsSystem” directory, the “oeminfo.ini” file with the text:


[General]
Manufacturer=���� ��� ��
Model=MS Word �����
[Support Information]
Line1=��������� ������� �������: VrTechno V1.1
Line2=
Line3=Word Macro Virus
Line4=John Great, ���� ��� �� – (C) ‘1999

With probability five percents the infection procedure inserts into
documents a graphic shapes with text:


Microsoft Word Macro Virus
VrTechnoCode
– Word 7.0 Version 1.1
– Stealth Technology
– Infect Documents and Templates
Copyright by John Great from Russia Far East, Khabarovsk’1999

The virus contains another payload routine – on printing the virus with
probability 20 percents sends to printer the content of the “Autoexec.bat”
file instead of active document.

The virus code contains comment:


‘——————————————————-‘
‘ VR ���������� v1.1 by John Great from Russia (C)’99 ‘
‘——————————————————-‘

Techno.c

This is the next generation of the virus. There are several minor changes in
the code. The password for infected documents in this virus version has been
changed to “Mirochka”.