Virus.MSWord.Vicinity

Class Virus
Platform MSWord
Description

Technical Details


This is an encrypted Word macro virus. It contains three macros: AutoOpen,
ExtrasMakro (stealth), QuickSilver. The virus replicates itself when
documents are opened (AutoOpen).


The virus replaces the Tools/Macro menu, if there is no text “MFake = no”
in the WIN.INI file in the [QuiteVicinity.02] section. If Windows 3.1 is
installed, the virus creates the C:SYSLOG1.BAT file and writes to there
the command that resets the ReadOnly attribute for some file. The virus
then writes the commands to the AUTOEXEC.BAT file:


echo off
call c:syslog1.bat

The virus displays the MessageBox:

Microsoft Word 1.0
Zur Zeit ist keine Dokumentvorlage aktiviert !

Starting from 1997 January 15 the virus searches and replaces: “. SAP” ->
“. S+P”, “%%%7%%%” -> “%%%8%%%”.


Starting from 1997 June 15 the virus creates the C:BOOTLOG.BAT file that
is called by AUTOEXEC.BAT and writes the commands to there:


if exist c:w95guardwgfe.exe del c:w95guardwgfe.exe
if exist c:winguardwgfe.exe del c:winguardwgfe.exe

Starting from 1997 August 15 the virus creates the C:SYSLOG2.BAT file with
the commands:

echo Datenmuell >> c:netstat.con
attrib -R c:netstat.con
type c:netstat.con >> c:netstat.con