ASSILEM VIRUS

Information about the Assilem virus:

This virus infects Word 97 and Word 2000 documents, templates and the NORMAL.DOT file of Word 97. On infection it turn off the MACRO VIRUS PROTECTION feature of Word. Due to its stealth capability it cannot be viewed.

Assilem virus first appeared in November 2000.


Other names of Assilem virus:
This virus is also known as W97M/Assilem.c, W97M/Assilem.g

BABLAS.A VIRUS

Information about Bablas.A virus:
This virus infects Word 97 and Word 2000 documents, templates and the NORMAL.DOT file of Word 97. It consists of a module called BPPHCK. When an infected document is opened, it infects the global template and displays a message
BPP Hacker is now activating - (I don't mean to disturb)
Bablas virus first appeared in January 2000.
Other names of Bablas.A virus:
This virus is also known as W97M/Bablas.A.

BOBO VIRUS

Information about the Bobo virus:

This virus infects Word 97 and Word 2000 documents, templates and the NORMAL.DOT file of Word 97. When an infected document is opened, it displays a message BOX containing the word BOBO.

Bobo virus first appeared in August 2000.


Other names of Bobo virus:
This virus is also known as W97M/Bobo.B, W97M/Bobo.C, W97M/Bobo.F.

BRIDGE.A VIRUS

Information about the Bridge.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. It contains two macro modules called MdCont and Contec. MdCount executes Contact modules, which carries virus code. It infects other documents when document is closed.

Bridge.A virus first appeared in June 2000.


Other names of Bridge.A virus:
This virus is also known as W97M/Bridge.A.

CHACK.H VIRUS

Information about the Chack.H virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. It contains modules Cyberform, Cyberhack. It hides Macro, Visual basic and customize options under toolbar menu. It also disables MACRO VIRUS PROTECTION feature of Word.

Chack.H virus first appeared in July 1999.


Other names of Chack.H virus:
This virus is also known as W97M/Chack.H.

CLAUD.A VIRUS

Information about the Claud.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. When global template is infected, it infects the word documents during it is closed. This carries following comments

Este es un V macro, Elaborado por c l a u d I o Este es el Comienzo de la era de los V Claudio
Claud.A virus first appeared in April 2000.


Other names of Claud.A virus:
This virus is also known as W97M/Claud.A.

COLDAPE.B VIRUS

Information about the Coldape.B virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. This virus is very similar to Codeape.A virus with minor changes in the scripts. It mails the information to the different email ID.

Coldape.B virus first appeared in March 1999.


Other names of Coldape.B virus:
This virus is also known as W97M/Coldape.B.

DERIEM.A VIRUS

Information about the Dariem.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. This virus changes the summary information of the infected documents. Its uses current system date and time, while writing the summary. It adds a password to the infected documents as DARIEM.

Dariem.A virus first appeared in July 2000.


Other names of Dariem.A virus:
This virus is also known as W97M/Dariem.A.

DED.A VIRUS

Information about the Ded.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. It behaves as a polymorphic by nature. It is derived from another macro virus called IIS.

This virus carries different variants as Ded.B and Ded.C with minor changes in the virus code.

Ded.A virus first appeared in November 1999.


Other names of Ded.A virus:
This virus is also known as W97M/Ded.A.

ETHAN FROME VIRUS

Information about Ethan Frome virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. The virus code is contained in one macro named "Document_Close". This macro will be in the "ThisDocument" module of the infected file.

It creates a file called ETHAN.___ in the root directory of the C drive. This file contains the macro code of this virus. The virus marks this file as a hidden file. This file is used to copy the virus code while infecting other files.

Ethan.A virus also looks for CLASS.SYS file in the root directory of the C drive and deletes it if found. CLASS.SYS file is used in the similar way by the Class virus to infect other files.

Ethan.A virus uses a random counter and when the counter is set, the virus will change the title of the infected document to "Ethan Frome", and its author to "EW/LN/CB".

Ethan virus first appeared in February 1999 and it is in the wild.


Other names of Ethan Frome virus:
This worm is also known as W97M/Ethan, Word97.Ethan.

ASTIA VIRUS

Information about the Astia virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. This creates two infected files under MSWord's startup directory as BOOK.SRC and BOOK.DOT.
Astia virus first appeared in March 2000.


Other names of Astia virus:
This virus is also known as W97M/Astia.L.

BEAST VIRUS

Information about the Beast virus:

This virus infects Word 97 and Word 2000 documents. The virus code is contained in one macro named "AUTOOPEN". This macro will be in the "ThisDocument" module of the infected file. This virus also carries an embedded object called i.exe, which is a PE executable file. When an infected document is opened it runs embedded i.exe file, which installs itself under WINDOWS\SYSTEM directory. It selects a random name from the list of DLL files from the same directory, with an EXE extension. The program goes memory resident during the next boot up and infects documents used under Word 97.

Beast virus first appeared in May 1999.


Other names of Beast virus:
This virus is also known as Win95/Beast, TROJ_W97M_BEAST, 3BEPb, Beast.a.

BRENDA.A VIRUS

Information about the Brenda.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. This virus turns off MACRO VIRUS PROTECTION feature of the Word on infection. This virus changes the hard disk's volume label to "nonuts". It modifies the file WIN.INI, with some Winzip entries. It also modifies Windows registry.

Brenda.A virus first appeared in January 1999.


Other names of Brenda.A virus:
This virus is also known as W97M/Brenda.A.

CHACK.B VIRUS

Information about the Chack.B virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. It contains modules Cyberform, Cyberhack. It hides Macro option under toolbar menu and disables MACRO VIRUS PROTECTION feature of Word.

Chack.B virus first appeared in March 2000.


Other names of Chack.B virus:
This virus is also known as W97M/Chack.B.

CLASS VIRUS

Information about the Class virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. The virus code is contained in two macros. These macros will be in the "ThisDocument" module of the infected file. The names of the virus macros are "AutoOpen" and "ViewVBCode" in all the infected files except in the NORMAL.DOT file, in which it will be "AutoClose" and "ToolsMacro".

The Class virus creates a file called CLASS.SYS in the root directory of the C drive. This file contains the macro code of this virus. This file is used to copy the virus code while infecting other files.

The virus code varies in every infection because the virus puts some comments inside its code. The comments contain the current date and time, user name and some information about the printer used.

This virus displays this message on the 31st day of every month:

This Is Class
o-o-o-o-o-o-o-o-o-o-o-o-o-o
o VicodinES /CB /TNN o
o o-o-o-o-o-o-o-o-o-o-o-o-o

Class virus first appeared in December 1998 and it is in the wild.

Variants of Class virus:

Class D:

Class.D virus displays this message on the 14th day of the month (only from June to December):

I Think XXXXXX is a big stupid jerk!
VicodinES Loves You / Class.Poppy

(XXXXXX will be the current user's name)This variant of Class virus also randomly changes registered user of Windows to "Dr. Diet Mountain Dew" in the Windows registry.

Class B :

Class.B virus is same as Class.D but it does not alter the registry.


Other names of Class virus:
This worm is also known as W97M/Class, Word97.Class.

COLDAPE.A VIRUS

Information about the Coldape.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. If Windows scripting host is installed then it drops two scripts "Happy.vbs" and "A4.vbs" and launch them. After this it tries to send a mail to a virus researcher with the following message.
Dear Nicky... my name is <MS-Word registered user name> and I want to make hot monkey love with you. You anti-virus stud!

Coldape.A virus first appeared in December 1998.


Other names of Coldape.A virus:
This virus is also known as W97M/Coldape.A.

CYBERNET.A VIRUS

Information about the CyberNet.A:

This is a macro virus with worm characteristics infecting Word 97, Excel 97 and Office 2000 documents. This virus comes as an email attachment with a subject "You’ve GOT Mail !!!" and the content of the mail would be :

"Please, saved the document after you read and don’t show to anyone else. The document is also VIRUS FREE… so DISREGARD the virus protection warning !!!"

The macro virus infects the NORMAL.DOT of MS-Word and creates a file CYBERNET.XLS under XLSTART folder. It mails an infected file as an attachment to the first 50 addresses found in the address book automatically.

It overwrites the AUTOEXEC.BAT with FORMAT C: /AUTOTEST /Q /U, with the text below

##########################################

# Vine...Vide...Vice...Moslem Power Never End... #

# I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!! #

# Brought To You From INDONESIA... #

##########################################

and CONFIG.SYS with the instructions AUTOEXEC.BAT: SWITCHES=/N.

It also has the payload of inserting random shapes and figures into the documents which are already opened. It is set to trigger on August 17 and December 25.

The CyberNET.A macro virus first appeared in May 2000


Other names of CyberNet.A:
This macro virus is also known as CyberNet, XL97/CyberNet.A

CYBERNET.A VIRUS

Information about the CyberNet.A:

This is a macro virus with worm characteristics infecting Word 97, Excel 97 and Office 2000 documents. This virus comes as an email attachment with a subject "You’ve GOT Mail !!!" and the content of the mail would be :

"Please, saved the document after you read and don’t show to anyone else. The document is also VIRUS FREE… so DISREGARD the virus protection warning !!!"

The macro virus infects the NORMAL.DOT of MS-Word and creates a file CYBERNET.XLS under XLSTART folder. It mails an infected file as an attachment to the first 50 addresses found in the address book automatically.

It overwrites the AUTOEXEC.BAT with FORMAT C: /AUTOTEST /Q /U, with the text below

##########################################

# Vine...Vide...Vice...Moslem Power Never End... #

# I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!! #

# Brought To You From INDONESIA... #

##########################################

and CONFIG.SYS with the instructions AUTOEXEC.BAT: SWITCHES=/N.

It also has the payload of inserting random shapes and figures into the documents which are already opened. It is set to trigger on August 17 and December 25.

The CyberNET.A macro virus first appeared in May 2000


Other names of CyberNet.A:
This macro virus is also known as CyberNet, XL97/CyberNet.A

DB.A VIRUS

Information about the DB.A virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. This virus alters the document comments.

DB.A virus first appeared in May 2000.

Other names of DB.A virus:
This virus is also known as W97M/DB.A, DocBombing.

Eight941 Virus

Information about the Eight941 virus:

This virus infects Word 97 documents, templates and the NORMAL.DOT file of Word 97. It infects documents when they are opened. It has a payload. On July 1st, when an infected document is opened, it searched for DOC extension under C: drive. After this it adds a password xyz to those documents.

This virus carries different variants with minor difference in the virus code. Variants like Eight941.A, Eight941.D, Eight941.E, Eight941.F, Eight941.M and Eight941.R are there.
Eight941 virus first appeared in March 2000.

Other names of Eight941 virus:
This virus is also known as W97M/Eight941.

W97M/KUKUDRO.A VIRUS

Information about the W97M/Kukudro.A Virus:

W97M/Kukudro.A is a macro virus. It arrives as an email attachment.

The subject of the infected mail will be any one of the following;

• Hello
• worth to see
• Hi
• prices

The body of the infected mail will be;

Hello (random name)--

Regards, (random name) (random email address)

The name of the infected attachment will be any one of the following;

• apple_prices.zip
• prices.zip
• sony_prices.zip

The attached zip file contains the following word document file;

my_Notebook.doc

When the file is opened, it drops the following file in C:\ drive.

666inse_1.exe

The droped file will be executed and tries to download W32/Sality.R Virus from a pre-configured list.

This macro virus first appeared on June 27, 2006.

Other names of W97M/Kukudro.A Virus:
This Macro Virus is also known as W97M.Kukudro.A, W97M_DLOADER.BKV, Kukudro.A, WM97/Kukudro-A, W97M/Dropexe.

W97M/KUKUDRO.B VIRUS

Information about the W97M/Kukudro.B Virus:

W97M/Kukudro.B is a macro virus. It arrives as an email attachment.

The subject of the infected mail will be any one of the following;

• Hello
• Worth to see
• Hi
• prices

The body of the infected mail will be;

• Hello (random name)

Regards, (random name) (random email address)

The name of the infected attachment will be any one of the following or in random names;

• apple_prices.zip
• prices.zip
• hp_laptops.zip
• sony_prices.zip

The attached zip file contains the following word document file;

(name of zip file).doc

When the file is opened, it drops the following file in C:\ drive.

dnel.exeThe droped file will be executed and tries to download other malwares from a pre-configured list of websites.

This macro virus first appeared on June 28, 2006.

Other names of W97M/Kukudro.B Virus:
This Macro Virus is also known as WM97/Kukudro-B, W97M_DLOADER.BVS.