Kaspersky Threats

Class

Platform

Description

Technical Details

This is an encrypted Word macro virus. It contains three macros: AutoOpen,
ExtrasMakro (stealth), QuickSilver. The virus replicates itself when
documents are opened (AutoOpen).

The virus replaces the Tools/Macro menu, if there is no text “MFake = no”
in the WIN.INI file in the [QuiteVicinity.02] section. If Windows 3.1 is
installed, the virus creates the C:SYSLOG1.BAT file and writes to there
the command that resets the ReadOnly attribute for some file. The virus
then writes the commands to the AUTOEXEC.BAT file:



echo off

call c:syslog1.bat

The virus displays the MessageBox:



Microsoft Word 1.0

Zur Zeit ist keine Dokumentvorlage aktiviert !

Starting from 1997 January 15 the virus searches and replaces: “. SAP” ->
“. S+P”, “%%%7%%%” -> “%%%8%%%”.

Starting from 1997 June 15 the virus creates the C:BOOTLOG.BAT file that
is called by AUTOEXEC.BAT and writes the commands to there:



if exist c:w95guardwgfe.exe del c:w95guardwgfe.exe

if exist c:winguardwgfe.exe del c:winguardwgfe.exe

Starting from 1997 August 15 the virus creates the C:SYSLOG2.BAT file with
the commands:



echo Datenmuell >> c:netstat.con

attrib -R c:netstat.con

type c:netstat.con >> c:netstat.con

Class	Virus
Platform	MSWord
Description	Technical Details This is an encrypted Word macro virus. It contains three macros: AutoOpen, ExtrasMakro (stealth), QuickSilver. The virus replicates itself when documents are opened (AutoOpen). The virus replaces the Tools/Macro menu, if there is no text “MFake = no” in the WIN.INI file in the [QuiteVicinity.02] section. If Windows 3.1 is installed, the virus creates the C:SYSLOG1.BAT file and writes to there the command that resets the ReadOnly attribute for some file. The virus then writes the commands to the AUTOEXEC.BAT file: echo off call c:syslog1.bat The virus displays the MessageBox: Microsoft Word 1.0 Zur Zeit ist keine Dokumentvorlage aktiviert ! Starting from 1997 January 15 the virus searches and replaces: “. SAP” -> “. S+P”, “%%%7%%%” -> “%%%8%%%”. Starting from 1997 June 15 the virus creates the C:BOOTLOG.BAT file that is called by AUTOEXEC.BAT and writes the commands to there: if exist c:w95guardwgfe.exe del c:w95guardwgfe.exe if exist c:winguardwgfe.exe del c:winguardwgfe.exe Starting from 1997 August 15 the virus creates the C:SYSLOG2.BAT file with the commands: echo Datenmuell >> c:netstat.con attrib -R c:netstat.con type c:netstat.con >> c:netstat.con

Virus.MSWord.Vicinity

Technical Details