Class Virus
Platform MSWord

Technical Details

It is an encrypted virus. It contains seven macros:

AutoExec – infects the global macros area
AutoOpen – calls AutoExec (infects global)
DateiNeu – infects a document (FileNew)
Telefonica – virus ID macro and trigger routine,
is called from AutoExec and Dateioeffnen
Dateioeffnen – infects a document (FileSave)
DateiBeenden – infects a document (FileExit)
DateiDrucken – trigger routine.

When Telefonica macro is executed, it launches DOS
Telefonica” virus. To do that the virus creates the script
file C:DOSTELEFONI.SCR with hexadecimal dump of virus. Next it creates
C:DOSTELEFONI.BAT, writes following commands to there, changes current
directory to C:DOS and executes BAT file:

@echo off
debug < telefoni.scr > nul
@echo off

These commands convert hex dump to DOS executable file and run it.

On DateiDrucken (FilePrint), if current seconds < 10, the virus adds to the end of document the string:

Lucifer by Nightmare Joker (1996)

Find out the statistics of the threats spreading in your region