macro.word.andr
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Macro.Word.Andry
This encrypted virus contains only one macro AutoOpen and infects the global macro area on opening an infected document and writes itself to other documents when they are being opened.
On March 1st it sets to documents the password "Andry Christian", prints the text to status bar:
* I'M ANDRY CHRISTIAN, IF YOU THOUGHT, YOUR DOCUMENTS
OR TEMPLATES WERE SAFE, YOU WERE WRONG ! *
It then displays the dialog:
HACKERS Labs '96 - Hackware Technology Research
ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!!
DO YOU SUPPORT MY VIRUS ?
YES NO
In case of "NO" key the virus overwrites the C:\AUTOEXEC.BAT file with commands:
@ECHO OFF
CLS
ECHO Please wait . . .
FORMAT C: /U /C /S /AUTOTEST > NUL
and the C:\CONFIG.SYS file with commands:
DOS=HIGH,UMB
FILES=40
BUFFERS=40
DEVICE=C:\DOS\HIMEM.SYS
DEVICE=C:\DOS\EMM386.EXE RAM
On the same date (March 1st) depending on the system time the virus runs the disk formatting command:
COMMAND /C FORMAT C: /U /C /S /AUTOTEST > NUL
Depending on the system time the virus inserts into current document the text:
Helloall.
Andry Christian
WordMacro Virus
Is Here....!!!
The virus also contains the comments:
'======================================================================'
' Source Code of Andry Christian WordMacro Virus 0.99 - eta Release '
'======================================================================'
' Virographer by Andry [Christian] in [Batavia] City, of INDONESIA '
' Viroright (C) 1996-1999 Hackware Technology Research - HACKERS Labs. '
' Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc '
' Last Update by 01-Maret-1996 & 01:03 PM - Found Bugs...? Call Me '
'======================================================================'
' HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR's TEAM '
'======================================================================'
Copyright @2006 macro.word.andr