This is an encrypted Word macro virus. It contains three macros: AutoOpen,
ExtrasMakro (stealth), QuickSilver. The virus replicates itself when
documents are opened (AutoOpen).
The virus replaces the Tools/Macro menu, if there is no text “MFake = no”
in the WIN.INI file in the [QuiteVicinity.02] section. If Windows 3.1 is
installed, the virus creates the C:SYSLOG1.BAT file and writes to there
the command that resets the ReadOnly attribute for some file. The virus
then writes the commands to the AUTOEXEC.BAT file:
The virus displays the MessageBox:
Microsoft Word 1.0
Zur Zeit ist keine Dokumentvorlage aktiviert !
Starting from 1997 January 15 the virus searches and replaces: “. SAP” ->
“. S+P”, “%%%7%%%” -> “%%%8%%%”.
Starting from 1997 June 15 the virus creates the C:BOOTLOG.BAT file that
is called by AUTOEXEC.BAT and writes the commands to there:
if exist c:w95guardwgfe.exe del c:w95guardwgfe.exe
if exist c:winguardwgfe.exe del c:winguardwgfe.exe
Starting from 1997 August 15 the virus creates the C:SYSLOG2.BAT file with
echo Datenmuell >> c:netstat.con
attrib -R c:netstat.con
type c:netstat.con >> c:netstat.con