Virus.MSWord.Uhrjap

Class Virus
Platform MSWord
Description

Technical Details



These macro viruses contain different number of macros:



“Uhrjap.a”: one, DelNew, autoopen, autoclose, normclose
“Uhrjap.b”: Eee, autoclose, ToolsMacro, FileTemplates, ToolsCustomize,
Oao, autoopen.


They infect the global macros area on opening an infected document. Other
documents get infection on closing.


“Uhrjap.b” is the stealth virus: on entering the Tools/Macro,
Tools/Customize or File/Templates menus the virus removes its macros from a
document, and as a result its code is not visible in macro viewing menus.


The viruses have destructive payload. “Uhrjap.a” on each 20’th opening
starts a procedure that every 10 minutes counts the characters in the
document. If the count it the same (haven’t changes during 10 minutes), the
virus renames all files in the root directory and first level directories
on the C:, D: and E: drives with the names “~TLPxxx.TMP”, where “xxx” is
ordinal number of file in a directory. The virus also runs this renaming
procedure with probability 2% on any document opening.


The “Uhrjap.b” virus on document opening or closing with probability 1/30
saves document with new password “uhrjap-uhrjap”, or prints document, or
deletes from document all space characters and replaces all digits with the
“#” character. It also with probability 1/50 activates its payload
procedure that is similar with “Uhrjap.a” virus: it renames all files in
the root directory and first level directories on the C:, D: and E: drives
with the name “~037xxx.TMP” where “xxx” is ordinal number of file in a
directory.