Vad är detta, WM_Strezz.A-Z & XM_NEG.B ?

[Sege]

Är det någon som vet vad detta är för "roliga" saker, hade dom på datorn men är numera bortplockade.

WM_Strezz.A-Z

XM_NEG.B

 

mvh / Sege

[ekneH]

Hos Symantec Antivirus Research Center kan virusen vara förklarade: http://www.symantec.com/avcenter/vinfodb.html

 

/Henke

[Fredrik Almqvist]

Följande information har jag hittat om dessa makrovirus:

 

WM_STREZZ:

This is an encrypted Word macro virus. It contains three macros: AutoOpen, FilePrint, FileSaveAs. The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved with new name or printed (FilePrint, FileSaveAs). The virus removes all menus that allow to check macros. On printing a document the virus not only infects it, but also removes all text from the document, disables re-do (EditUndo) and then prints the text: "STRESS '97 Special for my love by The Free Hackers Viroright © 1997 Internation Virus Research If you have bugs, please call me and don't stress for it! I will back laler!". The virus then displays the MessageBox:

"[iVR] - Internation Virus Research You are STREZZ now, I'm sorry for it!".

 

XM_NEG:

This virus infects Excel sheets. It contains six functions in one module Dollar: Auto_Open, ****, Auto_Close, cek_global, infectglobal, inFuckIt. While loading an infected document Excel executes auto macros auto_open, and the virus takes control. The virus auto_open macro contains command, which defines the **** macro as a handler of OnSheetActivate routine. As a result the virus hooks the sheet activate routine, and while opening a sheet the virus takes control. When the auto_open macro takes control it searches for DOLLAR.XLM files in the Excel Startup directory. If the infected macro is an active Workbook and the DOLLAR.XLM file does not exist in the Excel Startup directory when the virus is executed for the first time, the virus creates this file and saves its code to it by using the SaveAs command. When Excel loads its modules the next time it automatically loads all XLS files from the Startup directory. The infected DOLLAR.XLM is loaded as well as other files, and the virus takes control and hooks the sheet activation routine. On activation a sheet the virus copies its code to the active Workbook and as a result spreads its code to this sheet. The virus deletes 25 menu items related to macro viewing/editing/etc, if they exist. On 13th of any month it appends to the C:\AUTOEXEC.BAT file the commands that erase Windows files:

@ECHO OFF

CLS

cd\windows

del *.com >nul

del *.vxd >nul

del *.drv >nul

del *.dll >nul

The virus contains the comments:

------------------------------------------------

Generated with NEG !!. Please include this text

------------------------------------------------

NEG is Trademark of NoMercy

Date generated : 27- 3- 1998

VirusName: Dollar

Author: NEG

Module Name: Dollar

Template: DOLLAR.XLM