Virus.MSWord.Tele-Sex

Class Virus
Platform MSWord
Description

Technical Details


It is an encrypted virus. It contains seven macros:


AutoExec – infects the global macros area
AutoOpen – calls AutoExec (infects global)
DateiNeu – infects a document (FileNew)
Telefonica – virus ID macro and trigger routine,
is called from AutoExec and Dateioeffnen
Dateioeffnen – infects a document (FileSave)
DateiBeenden – infects a document (FileExit)
DateiDrucken – trigger routine.

When Telefonica macro is executed, it launches DOS
Telefonica” virus. To do that the virus creates the script
file C:DOSTELEFONI.SCR with hexadecimal dump of virus. Next it creates
C:DOSTELEFONI.BAT, writes following commands to there, changes current
directory to C:DOS and executes BAT file:

@echo off
debug < telefoni.scr > nul
@echo off
telefoni.com

These commands convert hex dump to DOS executable file and run it.


On DateiDrucken (FilePrint), if current seconds < 10, the virus adds to the end of document the string:


Lucifer by Nightmare Joker (1996)