Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

W97M/Twopey.H

W97M/Twopey.H is a macro virus that infects Microsoft Word 97 documents. It uses "class" infection method attacking the module "ThisDocument" normally located in each Word document or Word template. It infects the global normal.dot template and Word documents. The infection is proven by appearing of the module ThugSting in global template.

W97M/Twopey.H causes infection while opening/closing documents or closing the Word. Infecting the document W97M/Twopey.H modifies the information on document properties. It changes the name of the document to TrugSting Phil., the subject to miss u so much! and author to CbrHck. Keywords are set to dcpe and in comments there will be a text Jonalyn Villacastin of Butuan City, Philippines, "I DO LOVE YOU", very much... -TAKE A BUNCH OF CARE!.

It uses the file thugfile.txt for exporting its body. W97M/Twopey.H inactivates the antivirus protection of the Word and prevents from displaying the warning message when writing into template or converting the macros. It also deletes following Word menu items Tools/Macro, Tools/Customize, and prevents from accessing the Visual Basic. The virus prevents also from using following shortcut keys ALT-F8 (Tools/Macro/Macros) and ALT-F11 (Tools/Macro/Visual Basic Editor).

The virus contains a destructive activation routine overwriting on 22nd day of any month the c:\autoexec.bat file. Autoxec.bat modified in this way erases following files after restarting the operating system.

c:\io.sys
c:\windows\command\attrib.exe
c:\windows\command\find.exe
C:\Windows\mplayer.exe
C:\Windows\EMM386.exe
C:\Windows\explorer.exe
C:\Windows\scandskw.exe
C:\Windows\rundll.exe
C:\Windows\rundll32.exe
C:\Windows\net.exe

The virus renames also the files c:\windows\system.ini to c:\windows\system.cbr.hck, c:\windows\win.ini to c:\windows\win.cbr.hck and c:\windows\win.com to win.rub.cbr.hck. Then it displays following texts.

Runtime Error:018 Unable to Allocate System File
Please RESTART you Computer
Press any key to continue...

Then it clears the screen and displays following text.

Infected with: TrugSting Virus
Press any key to continue...

The virus contains also the second activation routine creating on 18th day of any month the file c:\TrugSting.msg.txt containing following text.

FR: TrugSting with Love!
TO: Infected Computer

People around the World [ - PEACE BE WITH US ALWAYS - ]

TrugSting revision

The bugs created merely to updated your system into a higher version.
Windows 95,98 users are the system most commonly infected.

For your patronage

-PLEASE UPDATE YOUR SYSTEM-
A great advice from CbrHck.IHABAE0D /Manila, Philippines

Also dedicated to: ALL FILIPINO PROGRAMMERS

More thanks to Johnalyn

TrugSting "syscruncher" by: CbrHck

The following code are more confident.


IHABAE-0D-APPED
CbrHck.Virugoer.(c)12.12.02

NOD32 detects this virus using heuristics without upgrading. Detection using sample is added from the version 1.528.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.