Kaspersky Threats — WallPaper

Class

Platform

Description

Technical Details

This is an encrypted macro virus. It contains two original macros, but
while infecting global macros area the AutoOpen macro is copied to four
macros:



Documents    NORMAL.DOT

FilePrint -> FilePrint

autoOpen  -> autoOpen

ToolsMacro

FileTemplates

ToolsCustomize

The virus infects the documents on all calls that are listed above (opening
or printing a file, entering menus File/Templates, Tools/Macro,
Tools/Customize) and copies itself to global macros on opening an infected
document.

The virus drops the SK2.BMP file that contains an image of a death’s head.

On the 31th of any month the virus modifies the profile section [Desktop] (the WIN.INI
file):



[Desktop]

Wallpaper=SK2.BMP

TileWallPaper=1

SK2=

and increases SK2 value on each infection. It also creates the
C:WINDOWSREGSK2.REG and writes the text to there:



REGEDIT4

[HKEY_CURRENT_USERControl PanelDesktop]

“TileWallpaper”=”1”

“Wallpaper”=”C:\WINDOWS\SK2.BMP”

The virus then appends the following commands to the C:AUTOEXEC.BAT file :



@echo off

c:

cd c:windows

copy /y SK2.BMP c:windowssk2.bmp >nul

regedit regsk2.reg >nul

On the same date (31th) the virus, depending on the system time, displays the
dialog:



[!!!PIRATE VIRUS!!!]– Active!

The [PIRATE VIRUS] has pillaged your computer!

GO BACK TO MS-WORD??

Class	Virus
Platform	MSWord
Description	Technical Details This is an encrypted macro virus. It contains two original macros, but while infecting global macros area the AutoOpen macro is copied to four macros: Documents NORMAL.DOT FilePrint -> FilePrint autoOpen -> autoOpen ToolsMacro FileTemplates ToolsCustomize The virus infects the documents on all calls that are listed above (opening or printing a file, entering menus File/Templates, Tools/Macro, Tools/Customize) and copies itself to global macros on opening an infected document. The virus drops the SK2.BMP file that contains an image of a death’s head. On the 31th of any month the virus modifies the profile section [Desktop] (the WIN.INI file): [Desktop] Wallpaper=SK2.BMP TileWallPaper=1 SK2= and increases SK2 value on each infection. It also creates the C:WINDOWSREGSK2.REG and writes the text to there: REGEDIT4 [HKEY_CURRENT_USERControl PanelDesktop] “TileWallpaper”=”1” “Wallpaper”=”C:\WINDOWS\SK2.BMP” The virus then appends the following commands to the C:AUTOEXEC.BAT file : @echo off c: cd c:windows copy /y SK2.BMP c:windowssk2.bmp >nul regedit regsk2.reg >nul On the same date (31th) the virus, depending on the system time, displays the dialog: [!!!PIRATE VIRUS!!!]– Active! The [PIRATE VIRUS] has pillaged your computer! GO BACK TO MS-WORD??

Virus.MSWord.WallPaper

Technical Details