Virus.MSWord.WallPaper

Class Virus
Platform MSWord
Description

Technical Details


This is an encrypted macro virus. It contains two original macros, but
while infecting global macros area the AutoOpen macro is copied to four
macros:


Documents NORMAL.DOT
FilePrint -> FilePrint
autoOpen -> autoOpen
ToolsMacro
FileTemplates
ToolsCustomize

The virus infects the documents on all calls that are listed above (opening
or printing a file, entering menus File/Templates, Tools/Macro,
Tools/Customize) and copies itself to global macros on opening an infected
document.


The virus drops the SK2.BMP file that contains an image of a death’s head.


On the 31th of any month the virus modifies the profile section [Desktop] (the WIN.INI
file):

[Desktop]
Wallpaper=SK2.BMP
TileWallPaper=1
SK2=

and increases SK2 value on each infection. It also creates the
C:WINDOWSREGSK2.REG and writes the text to there:

REGEDIT4
[HKEY_CURRENT_USERControl PanelDesktop]
“TileWallpaper”=”1”
“Wallpaper”=”C:\WINDOWS\SK2.BMP”

The virus then appends the following commands to the C:AUTOEXEC.BAT file :

@echo off
c:
cd c:windows
copy /y SK2.BMP c:windowssk2.bmp >nul
regedit regsk2.reg >nul

On the same date (31th) the virus, depending on the system time, displays the
dialog:

[!!!PIRATE VIRUS!!!]– Active!
The [PIRATE VIRUS] has pillaged your computer!
GO BACK TO MS-WORD??