The Norton AntiVirus Information File Copyright Symantec Corp. 1993-98 All Rights Reserved Version #9609 Q~d&w&wI+VFF Fu^&w&wP4!`````````q I  2 I G`GGGGGG ( t #$x%'T#T##'%}'# # ^^# # vvv#  # 8 ^  ; ^ ;  # GH#  } # # [ ^ D# # &&&;;g!H&$($&%!!"$z!1$1$1$1$1$1$1$&M$M$M$M$M$M$M$M$M$M$$$v&v&v&&v&v&v&1$1$1$l'M$M$ '7'G&&D$''''!!!!!!E!E!: # # ;;# # }# # # ;;;;; ;;;;;;# ;; ;;;;; # ::::::^^^;;;;; # ^^^^^^ ;;;^^ : ;# ^^;^^;;;;;^;:::::::# # |# # #  # ^ # ;^^;::^ ^^^;;;;  ^^^^ # ^# # # I;^^# ^ ^^  ;;^ # # : }: ^:# # ^^^^^;^ ;::::::::::^:^# ^p ^^ ^^ ^ # : :# # ^ # ^^  ^^:^^^^^^^^ ^: # ^ ;^^;# ^^ HtK%+:;;;;B^# y# # # # # }}# r+4y}}d^I; gg}I"P%"y"IP""#l"!##y"y"II#P8IgIgg#t;} Vgggjtgg"gg  K" '#IlIIId'I'(6' pil+   l KK#pT p"pK}6# 48J KK PiK#K5#ol#2":#V UjUPU[P * Hg\ b g @ 0 T  ~ gg7g  V" j 2" g9% g ogV" V"J iV"J J J J K' Bg)K# J " %##U$(M$No additional information.This virus infects the master boot record and boot record of floppy disks. Bootup from infected floppies often causes system hangsLenartThis virus contains the text, "I am Li Xibin!". Bootup from infected floppies often causes system hangsThis is dropped by the "Backdoor.Poly" or "Backdoor.SubSeven". You must delete this file.This is a trojan horse program and not a virus. This program can be used to allow unauthorized access to your computer. You must delete this file.This is a backdoor type trojan program which can be used to allow unauthorized access to your computer.This backdoor trojan loads by adding to the line shell=explorer.exe in the SYSTEM.INI file. To clean, replace that line and delete the corresponding file from the C:\WINDOWS directory.This virus does little but replicate. Note that Boot-437 does not infect the MBR of the hard drive; it infects only the Boot Sector.This is a Internet worm that uses .bat files to search through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer shares its C drive, it copies its files onto the other computer.DIR.BywayByway creates a file called CHKLIST.MS in the root directory. DO NOT delete this file, as you will lose original file data!OZ, Die Hard.II, Die-Hard.4000.dInfected programs have the word "OZ" near the end of the file.Creeping DeathChanges directory entries to point to itself. Using the "CHKDSK /F" command will destroy all program file linkage. To repair infected systems, you must use the DOS version of NAV.CMOS KillerThis family of viruses attempts to modify CMOS information. EXE files are overwritten by virus code turning them into droppers.On the 18th of any month, the virus plays a clicking sound whenever a key is pressed. The virus contains the text: "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic!"Worm.NewaptThis worm uses MS Outlook Express or Netscape Mail to mail itself out. It uses several names for the attachment.B1NYB is a fairly generic MBR and Floppy Boot Sector Infector. It goes resident, but does not destroy anything intentionally. However, some floppies have been reported as corrupted.Worm.ExploreZip(pack)This worm usually comes "Explore.EXE" in email. When executed, it gives out a fake error message that the ZIP file is invalid. See http://www.symantec.com/avcenter for detail info on this worm.MonkeyThis virus encrypts the partition table, moves it to a different locale on the hard drive and then takes the place of the real one. In order to read the real partition (and see the drive), the virus must be active in memory.Bloody!After the 128th time a computer boots from an infected disk, the message "Bloody! June 4, 1989" appears.MichelangeloIf an infected system is booted any time on March 6th, the virus will silently overwrite the first 17 Sectors of the first 256 Cylinders of the hard drive with random information from memory.Bloomington,Stoned.No_Int,New ZealandThe virus overwrites the root directory on floppy disks. Any data located there is lost. Booting from an infected floppy disk displays the error message: "Disk boot failure."AngelinaContains the text "Greetings for ANGELINA !!!/by Garfield/Zielona Gora".Natas, SatanA highly polymorphic multi-partite virus that infects everything. It is most prevalent in Mexico, though originally written in San Diego by the author of SatanBug.69On 30NOV, will show a message on the screen. Encrypted within the multi-sectored virus is "S A M P O" and proclaiming itself from the Phillipines. In the wild in Asia, Europe, and the US.This program drops a copy of Backdoor.Subseven on the user's computer.HLLP.Termite.5000/7800/9100This is an improved prepending virus that encrypts part of the files. Those with Win32 NAV products should use NAVDX to repair this virus. For more information, look up Termite at http://www.symantec.com/avcenter/FunYour NTTHNTA Wazzu Colors.AEOpening infected document for the 20th time, some variants of WM.Appder delete C:\DOC\*.EXE, C:\DOC\*.COM, C:\WINDOWS\*.EXE, C:\WINDOWS\SYSTEM\*.TTF and C:\WINDOWS\SYSTEM\*.FOTOn February 3 and February 26 this virus will add password protection of Dariem. It also changes the Document PropertiesThis is a Word 97 macro virus. It creates a text file in the current directory. The text files names start with "CMC".This is a Word 97 macro virus. After June of year 2000, it creates ".doc" files in "Windows" directory 999999991 times. The file names start with "Aa".This is a Word 97 macro virus does noting but replicate. It infects when the document is closed.This is a Word 97 macro virus that infects Word97 documents and templates. On certain days and month, it triggers a message and imports a file saved as "bdoc2.txt".This polymorphic macro virus infects "Normal.dot" and modifies MS WORD virus protection settings.This virus infects when opened. Also on certain date 11/10 or 7/1 if opened, it changes the options of MS-Word.This virus infects when opened. It changes options of the MS-Word. Also, if the file is opened after a june of the each year following 2000, the file will replicate it-self 999999991 times.This virus infects when opened. It changes options of the MS-Word. Also, if the file is opened after a june of the each year following 2000, the file will replicate it-self 999999991 times.This virus infects Word97 documents when opened. Also, if an infected document is opened on July 1 the virus will attempt to open all documents on the C: drive, infect them, and set the password to "xyz"This virus infects Word97 documents when opened. Also, if an infected document is opened on July 7 or November 10 the virus will attempt to open all documents on the C: drive and infect them.This Word 97 macro is similar to all members of the W97M.Eight941 family of macro viruses in the way it replicates. Also it has similar payload.Macro Word97 "CAPUT"This macro virus creates a file "system.drv" in "C:\" directory. Under "properties->summary->comments" displays "JU$t bEEn CAPuted!" message.Hubad GandaThis polymorphic Word 97 macro inserts an ASCII-picture when printing an infect Word documents. W97M.Junefill.AThis Word 97 macro triggers July, 2000, and continually saves the currently infected document to c:\windows as random file names. It is also inserts the user name/address/initials into the code. W97M.Marker.CE W97M.Marker.CSThis Word 97 macro is a June/July Variant. It infects the Normal.dot and any active documents and saves them as AA and AA.doc.This is polymorphic macro virus. This virus creates a "EmailMe.html" in the Windows directory. You should delete this file.This is polymorphic macro virus. This virus creates a "EmailMe.html" in the Windows directory. You should delete this file.When the document is opened or closed On 3/11, this macro virus will display "Happy Birthday". It will try to delete "*.sys" files from "C:\". It will also delete some words in the document.This Word 97 Macro virus adds a password of 8941 to all documents. One would need to first disable the password before attempting to repair with NAV.W97M.PSDAt certain time of the day, it will add colorful AutoShape objects to the current document when opening or closing the document.Doing "File Save" and "File Save As" on August 30th will cause this macro virus to display message box. Also user would need to enter correct password to continue editing this document. The password is "WM.MALAYSIA 1998".This is a macro virus that infects Word97 documents and templates only. This macro virus is stealth and uses anti-debugging techniques. This macro virus may prevent you from opening documents on Sunday.W32.Beast W32.Beast.56230/41472This virus uses macro and EXE to spread. Infected document carries an embedded EXE object that gets activated by the AutoOpen macro in the document. The EXE goes resident and infects other opened documents in MS Word.This Word macro virus is dangerous. It tries to add few lines in your "C:\Autoexec.bat" file which is "Deltree c:\*.* /y". You should delete that line if it is there.Beast.A.Trojan CDtray.Trojan BeastThis is the EXE part of W97M/W32.Beast. See W97M.Beast for description.WM.Cap FamilyThis macro virus removes Macro & Customize item from Tools menu. It deletes all existing macros before infection. Saving into RTF file actually creates an infected Word Document w/ RTF extension.This is a remnant of WM.Cap virus. If NORMAL.DOT is infected or an infected document is opened, MS Word fails to execute FileOpen, FileSave, FileSaveAs or FileClose and gives "WordBasic Err" message.This macro virus removes Macro from Tools menu. It displays a picture when Help|About is accessed or when exiting from Word97 on Friday.Class.Poppy, WoobieThis is a polymorphic Word97 macro virus. Some variants display insulting messages like telling user "is a jerk", etc. Some variants quietly do their infections on opening and closing documents.MV Version 1eThis W97M.Class variant uses C:\SYSTEM.SYS as a temporary text file. It display the following message for Tools-Macro menu: "This program has performed an illegal operation and will shut down."Polymorphic Word 97 macro virus. Infects the normal template.This macro does little but replicatesThis Word 97 virus infects normal template.This macro virus does little but replicate.This macro virus is polymorphic. It infects "Normal.dot". It also uses Aplication.UserName to name a ".tmp" file created in the "c:\windows\temp" directory and containing the source code of the virus.W97M.Chack.VariantThis is a generic Word97 macro virus. It infects documents by using the Normal Template on opening, closing, and as well as most of the other commands available through word menu.W97M.Zippy Class.ZippyThis polymorphic macro virus remove the Macro and Options from Tools menu. It prints the active document on the 10, 15, 20, 25 everytime the infected document is opened or close.This polymorphic macro virus removes the Macro and Options items from the Tools menu. It also prints the active document on the 13th during the months of August through December.Class.TNTThis polymorphic macro virus display messages on Dec 23 and 24. On Dec 25, it password protects the infected document with "TNT"This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. It displays Input Box with a title "AV MACRO", when selecting the "Visual Basic Editor".This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message and beeps 100 times if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This macro virus infects the global template Normal.dot to spread. The virus diplays a message if excuted anytime before 9:00 PM on Fridays and Sundays. It also modifies several menu commands and dialog boxes.This Word97 macro virus contains a module called Claudio that infects during the closing of the document. Another infectious module called Modulo1 is called during the opening of new documents.This is a macro virus that infects Word97 documents and templates. It contains a module called Modulo1 that infects when documents are opened.This is a macro virus that infects Word97 documents and templates. It contains a module called Claudio2. On 11/10 and 7/1, it will search your entire C drive for "*.doc" files and change some option settings.WM.Colors Family, RainbowThis macro virus maintains a counter in INI file. After a certain number of accesses, it modifies WIN.INI to change the Windows desktop color settings. It is known to snatch AutoOpen and various FILE macros.Prank, Concept.A, B:Fr, C, H, O, P, QThis macro virus is one of the first in the wild. It infects using File|SaveAs. It displays "1" upon infection. Some variants may have destructive payload or corrupted/snatched macros.WM.HahaWhen doing File|SaveAs, this Concept Variant changes text color to white and inserts "i said: say goodbye to all your stuff (look at that hard drive spin!)" to the document while saving the file 100 times.When doing File|SaveAs, this Concept Variant tries to save a copy of the document in "T:\VIR\." It displays "1" upon infection.WM.ParasiteThis Concept variant has several payload: replace "and" w/ "not"; '.' w/ ','; 'a' w/ 'e' in the document; and displays "Parasite virus 1.0" Variants are by corruption.WM.Concept.CJThis Concept variant has several payload: It sometimes replaces "." with "," and "$" with "S" or password protect a document with "FrazzleFuck_100" or destroy C:\COMMAND.COM, C:\AUTOEXEC.BAT, C:\CONFIG.SYS and C:\MSDOS.SYS.This Italian Concept variant infects while closing document or Tools|Spelling. It displays "1" upon infection. Variants are by corruption or snatched/lost macros.WM.Pheew:NlThis Dutch Concept Variant displays "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC Final Warning!" Clicking "NO" button will delete files in C:\ & C:\DOS making the system unbootable.WM.BlastCThis Concept Variant shows a welcome message when opening document & "Uh Ohhh. NORMAL.DOT just got infected" when infecting NORMAL.DOT. Variant L tries to delete C:\DELETEME on the 24th.This Concept Variant is an intended virus that spreads manually when user runs the macros XutoOpen.ConceptWhen infecting a document, this variant of the WM.Concept macro virus family randomly password-protects it with random numbers between 1-100. The password is three characters long and uses leading spaces to make up the three characters.WM.DiamondSutraThis variant of WM.Concept redefines AutoCorrect of "teh" into "Shoshi in 1983 is the Sun" It displays message boxes referring to "CTF."WM.MicroSlothThis variant of WM.Concept at random displays "Microsloth - Who do you want to own today?" message box; open 20 new documents; open or delete all all files in current directory; or format disk in drive A.This variant of WM.Concept creates a file C:\foodies.txt which contains useless data. This file should be deleted.This variant of WM.Concept add an advertisement to the end of C:\AUTOEXEC.BAT file. It also creates a C:\WINDOWS\FIREFOX.INI file.WM.Concept.BBThis macro virus is a sub-family of WM.Concept. Its infection mechanism is similar to Concept's. Some variants display a message box when opening document. Others simply have corrupted/snatched macros.This Word97 macro virus has payloads that only work in Windows 98. One of the payload sends an email to the editor of Virus Bulletin.W97M.Ethan.BThis Word97 macro virus uses ETHAN.___ temporary text file while infecting, removes the C:\Class.sys temporary text file that W97M.Class uses, and changes the File Summary Information.W97M.FootPrintIt uses FOOTPRINT.$$$ and FOOTPRINT.$$1 as temporary file while infecting. It also adds "FootPrint1" custom document property to mark its infection.Groovie, IPAttackIt creates DATA.DOT in MS Word startup directory. It is recommended to delete this DATA.DOT file along with C:\groovie.sys, c:\script.sys and c:\ip.txt if they exist.This virus infects MS Word Documents using the Word Basic Macro language. It has two macros: HarkOne, and either AutoOpen or AutoClose.Variant of WM.Johnny that has some corrupted or empty macros. FileSave command may give an error, but the virus still spreads through the FileSaveAs command.This macro virus creats a file in your "XLSTART" folder called "Manalo.xls". You should delete this file.W97M.ThusThis is a macro virus. It infects the global template Normal.dot on opening or closing an infected document.This is a corrupted / modified variant of WM.MDMA. MS Word may displays error messages while closing a document because of the corruption / modification.Word Macrovirus that prints "IMPORTAT NOTTICE!" on Dec 13Npad macro virus variant whose AUTOOPEN macro is partially corrupted. As Npad maintains a counter in WIN.INI file, it may generate an error message after 23 execution when it tries to display a scrolling message.W97M.Opey.B, W97M.Opey.CStandard macrovirus. On certain holidays, it appends a greeting to C:\autoexec.bat. It changes various name setting to "Opey"This Word 97 macro virus spreads its infection on all file access commands within Word: open, close, save, saveas and exit. It changes the user information, and removes any macros (good or bad) when it infects documents.This virus spreads its infection when opened. It drops a file called "FF.sys" in "C:\" directory. You can delete this file.This is a Word macro virus. This virus infects NORMAL.DOT. It infects documents when they are opened. There is no payload contained in this virus.W97M.System.AThis virus is polymorphic. It will try to send it's self to everyone in the address book. It randomly picks string to place in the subject of email. Strings: (1)"version finale" or (2)"Un peu d aide..." or (3)"suggestion..."This is a Word macro virus. It infects when opened.Most variant of this macro virus has corrupted or others' AutoExec as it's SHOW/AUTOEXEC macro. Despite this, the spread occurs since the corrupted macro is not the one which copies the virus to other documents.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is closed or saved or when a new document is created.This is a Word97 macro virus. This virus spreads its infection when a document is open or closed or when a new document is created.W97M.Thus.KThis is a Word97 macro virus. This virus spreads its infection when a document is opened or closed and when a new document is created.W97M.JoyThis Word97 macro virus is a polymorphic virus. It infects the global template with AutoOpen and generates random comment lines within macros. It also display MessageBox and set passwords once awhile.A Word97 macro virus. It infects when you open or close the document.W97M.VMPCK1.GenInfects by exporting INJEKT module as "c:\startup.log", and then importing into new documents. Changes volume label to "testicle". It also display various message boxes..These are modification of macro viruses generated from Swlabs generator. Some of the variants are improperly modified that MS Word will generate Word Basic Err message while opening any document.This encrypted macro virus can infect both Excel 97 and Word 97 files.This polymorphic macro virus infects both Excel 97 and Word 97 files. Variant A displays a message on the 14th after May "I think USER is a a big stupid jerk". Variant B displays encrypted message.This macro virus can infect Excel 97, Word 97, and PowerPoint 97 files.W97M.DBThis is a Word 97 macro virus. On 11/6/2000 or after, it opens 21 documents if you open the infected document. Also closing the infected document, it open another 21.W97M.VMPCK1.BH/BI/BJ W97M.AKRNLThis VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document.This VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document. It also exports the akrnl module to the file c:\tudiant.cfg.This VMPCK1 generated macro virus infects Word97 files. It adds AKRNL macro module to infected Word document. It also exports the akrnl module to the file c:\tudiant.cfg.WazzuThis virus is one of the most prevalent macro viruses in the wild. It has two payloads: 1) It can move up to 3 words to a random document location and 2) It can insert "Wazzu" or "" into the document.WazzuThis virus is one of the most prevalent macro viruses in the wild. It has two payloads: 1) It can move up to 3 words to a random document location and 2) It can insert "Wazzu" or "" into the document. This version will not replicate.WazzuUnlike other Wazzu variants, this one does not have payload.WazzuWhen opening a document, this variant of the WM.Wazzu macro virus family randomly password-protects it with random numbers or inserts "Only Lucky ONE gets Mad Cow." into the document.WazzuWhen opening a document, this WM.Wazzu variant moves words around or password-protects the document using the filename as the password if the document has more than 2000 words or it is the 15th of the month.This appears to be an unknown variant of a macro virus. Please submit this sample to the Symantec AntiVirus Research Center for analysis, as described in your manual.This file possibly contains viral macros from one or more sets of known macro viruses. Repairing will remove all of these viral macros.This virus infects MS Word Documents using the Macro language. It is most often transmitted via .DOC and .DOT files.This virus infects MS Excel Spreadsheets using the VBA language. It drops EXTRAS.XLS, "Windows Extras.XLS", or "Macintosh Extras" in XLSTART directory. The module name is a random 25 characters, changing with each infection.This virus infect Excel spreadsheets and enables password protection in infected files. The password is GTHOMSON197168 or a number between 197 and 365 inclusive.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden LAROUX sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden LAROUX sheet into the Spreadsheet and drops a file in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops KKKKK.XLS in XLSTART directory. Scanning XLSTART directory is recommended.Base5874This virus infects MS Excel 97 Spreadsheets using the VBA language. It adds a BASE5874.XLS In XLSTART directory. Removal of BASE5874.XLS is recommended.PaixThis virus infects MS Excel Spreadsheets using Excel formulas (instead of macros). It drops a file XLSHEET.XLA into the XLSTART or WINDOWS directory. Scanning for XLSHEET.XLA is recommended.Paix DamagedThis is a variant of the XF.Paix.A macro virus but it is corrupted and does not replicate.Laroux.CThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a BINV.XLS in XLSTART directory. Removal of BINV.XLS is recommended.XM.PLDTThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PLDT sheet into the Spreadsheet and drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.XM.PLDT XM.Laroux.EThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PLDT sheet into the Spreadsheet and drops a file in XLSTART directory. Scanning XLSTART directory is recommended.XM.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.XM.PLDTThis is a MAC version of XM.Laroux.E. See XM.Laroux.E for more details. You also need to scan the XLSTART folder.Laroux.AA LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a PERSON2.XLS in XLSTART directory. Removal of PERSON2.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a A-A.XLS in XLSTART directory and creates hidden VIRUS-EDY sheet. Removal of A-A.XLS is recommended.Laroux Laroux.ABThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a PERSONAL2.XLS in XLSTART directory. Removal of PERSONAL2.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a VACATION.XLS in XLSTART directory. Removal of VACATION.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops MERALCO.XLS in XLSTART directory. Removal of MERALCO.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a BOOK1.XLS in XLSTART directory. Removal of BOOKn.XLS is recommended (where n = number).LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops CECILIA.XLS in XLSTART directory. Removal of CECILIA.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a TAYASHIN.XLS in XLSTART directory. Removal of TAYASHIN.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a HOMGRID.XLS in XLSTART directory. Removal of HOMGRID.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops GAY.XLS in XLSTART directory. Removal of GAY.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops a CAR.XLS in XLSTART directory. Removal of CAR.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops 1.XLS in XLSTART directory. Removal of 1.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops SGV.XLS in XLSTART directory. Removal of SGV.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops WINDOS.XLS in C:\WINDOS directory. Scanning C:\WINDOS directory is recommended.Laroux FOXZThis LAROUX variant uses FOXZ module sheet and drops NEGS.XLS in XLSTART directory. Removal of NEGS.XLS is recommended.LarouxThis LAROUX variant uses VIRUS module sheet and drops CREATIVE.XLS in XLSTART directory. Removal of CREATIVE.XLS is recommended.LarouxThis virus infects MS Excel Spreadsheets using the VBA language. It is transmitted via .XLS files. It drops SING.XLS in XLSTART directory. Removal of SING.XLS is recommended.LarouxThis Laroux variant uses PLDT module sheet. It drops PLDT.XLS in XLSTART directory. Removal of PLDT.XLS is recommended.LarouxThis Laroux variant uses ME module sheet. It drops INFECTED.XLS in XLSTART directory. Removal of INFECTED.XLS is recommended.Laroux, XM.LocasThis Laroux variant uses LOCAS module sheet. It drops VERA.XLS in XLSTART directory. Removal of VERA.XLS is recommended.Laroux.EO Laroux.GE GuyanThis XM.Laroux variant uses GUYAN module sheet. It drops PERSONAL.XLS in XLSTART directory. Scan and repair of PERSONAL.XLS is recommended.Laroux.DRThis Laroux variant uses RESULTS module sheet. It drops RESULTS.XLS in XLSTART directory. Removal of RESULTS.XLS is recommended.This Laroux variant uses the MONCI module sheet and drops DIMON.XLS in XLSTART directory. Removal of DIMON.XLS is recommended.This Laroux variant uses the SGV module sheet. It drops SGV.XLS in XLSTART directory. Removal of SGV.XLS is recommended.This Laroux variant uses SIEMENS module sheet & drops SIEMENS.XLS in XLSTART directory. Removal of SIEMENS.XLS is recommended. At 10am, 12pm, 2pm 3pm and 8pm, it moves cell around and changes cell format.This Laroux variant uses the LAWSON module sheet. It drops D-CVS.XLS in XLSTART directory. Removal of D-CVS.XLS is recommended.XM.BayantelThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden BAYANTEL sheet into the Spreadsheet and drops BAYANTEL.XLS in XLSTART directory. Removal of BAYANTEL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden MARS sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning of PERSONAL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden AOLA sheet into the Spreadsheet and drops PERSON.XLS in XLSTART directory. Removal of PERSON.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden VIRUS sheet into the Spreadsheet and drops VIRUS.XLS in XLSTART directory. Removal of VIRUS.XLS is recommended.X97M.PTHThis virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden PTH sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning and repairing PERSONAL.XLS is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden MARS sheet into the Spreadsheet and drops TRIAL.XLS in XLSTART directory. Scanning of TRIAL.XLS is recommended.This Laroux variant uses VODAFONE module sheet & drops PERSONAL.XLS in XLSTART directory. Scanning PERSONAL.XLS is recommended. It adds a footer and change the username to "free Kevin" referring to Kevin MitnickThis Laroux variant uses "BLEQQQ" module. It drops Auto2000.xls in XLSTART directory. Scanning Auto2000.xls is recommended.MajoduckThis Laroux variant uses MAJODUCK_SK_1 module sheet & drops OFFICE_.XLS in XLSTART directory. Deleting OFFICE_.XLS is recommended. At random, it deletes *.B*, *.C*, *.DLL, *.HLP from current directory.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops TMN.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This Laroux variant uses "MARS" module. It drops "Personal.xls" in XLSTART directory. Scanning "Personal.xls" is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects MS Excel Spreadsheets using the VBA language. It adds a hidden sheet into the Spreadsheet and drops PERSONAL.XLS in XLSTART directory. Scanning XLSTART directory is recommended.This virus infects Excel Spreadsheets using the VBA language. This virus has a polymorphic module name and will infect the personal.xls in the startup directory.X97M.XLScan X97M.OverKill VCX.VariantThis variant of X97M.VCX drops a XLSCAN.XLS in XLSTART directory and XLSCAN.386 in \WINDOWS\SYSTEM directory. It also generates many files with VCX or INF extensions in \WINDOWS\SYSTEM directory.AMSES, NOPS, STB, StelbooThe virus is based on published code from a virus tutorial. It does not contain any intentionally damaging code. Starting Windows with the virus resident will dump you to a DOS prompt and leave the system unstable.Jack the RipperWhen active in memory, Ripper will randomly corrupt disk writes. Approximately 1 in every 1,000 disk writes will be affected. The virus contains the encrypted message: "(C) 1992 Jack Ripper"Generic-1The virus checks to see if it has infected a diskette every hour. If it has not infected a diskette in that time, it prints the message "PARITY CHECK" to the screen and hangs the computer. This virus can survive a warm boot.Contains the encrypted messages "Sweden 1994" and "The Junkie Virus - Written in Malmo". The virus contains no intentionally damaging code, but will corrupt .COM files over 64k. It disables the antivirus included with MS-DOS 6.JIMIIn the wild in Europe.2kb, French Boot, Neuville, ToucheThis virus goes resident, but does not destroy anything intentionally. It is highly prolific in Europe.THIS IS NOT A VIRUS. The EICAR Test File is an internationally recognized, non-virus code string included for analysis purposes only. Again, THIS IS NOT A VIRUS.If the Norton AntiVirus reports this infection in a file, this means the Bloodhound (TM) system has analyzed and determined the file exhibits virus- like behavior (i.e. it may contain a new/unknown virus).If the Norton AntiVirus reports this infection on a disk, this means the Bloodhound (TM) system has analyzed and determined the disk exhibits virus- like behavior (i.e. it may contain a new/unknown boot virus).Win32.Champ.5447.bThis virus is a direct infector of Win 95 EXE files. During some infections the virus corrupts the file.W95.Marburg infects Windows 95 EXE files. It infects files in the \Windows and \Windows\System directories. The virus is polymorphic. Infected files are padded so that the filesize will be divisible by 101.W31.NEHeader is a direct infector of NE EXE files. It only replicates when run under DOS.This virus infects Windows PE EXE files. It is a memory resident virus. Infected files grow by 2048 bytes.W95.Tentacle.2048 is a memory resident virus. It infects Windows PE EXE files.This checks the system date, and if the current year is 1999 or later, the main menu bar gets rearranged.This is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "Base5874.xls". It then uses that file to replicate.This is a Excel 97 macro virus. It creates a file in the "Office\XLSTART" folder called "874.xls". It then uses that file to replicate.The AutoClose macro in this virus is corrupted, but replicates this virus. This is very similar to other MDMA strains.This virus will delete the entire contents of the document if the Tools/Macro menu item is selected, and replace it with a link to a web page about a popular cartoon series.W97M.DWMVCK1/ZMK.GenThis virus is a Word97 macro virus that infects Word97 documents. This virus was created by macro virus generator.This Word97 macro virus which writes its source to a file "c:\Melli.dll" and copies this to new host documents. In the .A variant, on September 11, this virus will replace the word "and" with the word "Melli" on infected systems.W97M.Mailissa.AThis Word97 macro virus tries to email a copy of the infected document using MS Outlook. It tries to send to everyone in MS Outlook address book. In MS Word 2000, it turns security level to low.W97M.MelissaSister W97M.Melissa.CThis is a modified variant of W97M.Melissa.A. The macro module is named MELISSASLITTLESISTER. It also tries to use MS Outlook the way W97M.Melissa.A does.MelissaFXThis modified variant of W97M.Melissa uses a random subject line in the email address. It mails between 30% and 60% of the number of entry in MS Outlook email address book. It also sets the shared property of C drive.MYNAMEISVIRUSThis non-destructive macro virus infects THISDOCUMENT module.W97M.ReplicatorThis virus only replicates using the AutoClose macro. It is harmless.W97M.Nottice.KThis macro virus only replicates, unlike other members of the WM.Nottice family.This virus is similar to WM.Cap. It disables the Tools\Macro and Tools\Customize menu items. It removes all existing macros before infecting.Information on this Windows virus will be available soon.SubSeven Server 2.1, Backdoor.SubSevenThis is a backdoor trojan that creates a security hole unto your system.W32.Mypics.Worm.36352This is a dangerous worm program that spams itself to many people. On year 2000, it will zero out the high byte of your CMOS checksum, and it will try to reformat drive c and drive d.This is a Windows NT Worm. Please refer to our write-up for more information about this virus.This is a virus that infects Windows PE files and Windows Help files. Please refer to our write-up for more information about this virus.This WORM creates c:\windows\links.vbs and c:\windows\system\rundll.vbs. It is written in VB script and user must delete these files.This WORM uses OutLook to send it self to all the addresses in the address entry book. It drops C:\windows\system\rundll.vbs and C:\windows\system\links.vbs files.BubbleBoyThis WORM uses ActiveX to drop UPDATE.HTA into the windows program startup menu. This HTA Script sends out the worm email message using MS Outlook. You should delete the above file.This Worm uses Outlook to send itself to everyone in the Address Book.This Worm uses Outlook to send itself to everyone in the Address Book. It comes as an attachment called resume.txt.vbs. This worm also attempts to download a password stealer.Please visit this website for a more detailed description. http://www.sarc.com/avcenter/venc/data/wscript.kakworm.htmlPlease visit this website for a more detailed description. http://www.sarc.com/avcenter/venc/data/wscript.kakworm.b.htmlChernobyl CIH_SpaceFiller PE_CIHThis virus infects Win 95 EXE files. The virus may cause damage to the user's computer on the 26th of the month. The virus hides itself in unused portions of the host, so the host file size does not change.As part of its infection routine, W32.Weird drops a randomly named file with a size of 10,240 bytes. This file may be safely deleted.Win32.Kriz.3740This virus infects Windows PE EXE files. It has a payload that gets triggered on Dec 25. It will erase the CMOS, attempt to kill the Flash BIOS and overwrite all files on all drives.W95.Kenston infects Windows 95 EXE files. Running an infected program will cause the virus to go memory resident. The virus will then infect any program that is run subsequently.This is a Windows virus. It also has a worm component infected with the same virus that spreads via e-mail. It also patches WSOCK32.DLL.A VBScript script in this file/stream appears to exhibit suspicious behavior.A JavaScript script in this file/stream appears to exhibit suspicious behavior.FLCSS.EXE needs to be deleted. Please refer to this website for a more detailed description of this virus. http://www.symantec.com/avcenter/venc/data/w32.funlove.4099.htmlW32.FunLove.4099 is a new virus that replicates under Windows 95 and Windows NT systems and infects applications with EXE, SCR or OCX extensions.This .VBS worm replicates by mapping to shared network drives and copying itself. It keeps a logfile in the root of C:\ named NETWORK.LOG.This .VBS worm replicates by mapping to shared network drives and copying itself. This worm also drops a Dial-up networking password stealer. The worm keeps a logfile in the root of C:\ named NETWORK.LOG.This .VBS worm replicates by mapping to shared network drives and copying itself. This worm also drops a hacked version of the distributed.net client. The worm keeps a logfile in the root of C:\ named NETWORK.LOG.W32.PrettyParkThis worm comes as "Pretty Park.EXE" in email. You need to restore a registry entry as shown in: http://www.symantec.com/avcenter/venc/data/prettypark.worm.htmlThis is a Win32 companion virus with ability to spread over the network and also create a backdoor.I-Worm.HappyThis worm modifies WSOCK32.DLL to send itself as attachment when a posting is made to USENET or MAIL. Delete SKA.EXE and SKA.DLL in WINDOWS\SYSTEM folder and replace WSOCK32.DLL with WSOCK32.SKA in WINDOWS\SYSTEM folder.AOL Password Stealer BuddyList.TrojanIn WIN.INI, remove c:\...\RegistryReminder.exe from RUN= ; c:\...\BuddyList.exe from LOAD=. In SYSTEM.INI, remove SCRNSAVE.EXE=c:\...\WinSaver.exe Use REGEDIT to search & remove "WinProfile"="C:\Command.exe" from Registry.