Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


This is the first known virus of Slovak origin with several remarkable features. The virus contains a single macro AutoClose and it is not encrypted. The virus is polymorphic with variable length from 14 to 16 kB. The virus can spread only in English versions of Microsoft Word 7.x. The infection is implemented at closing documents infected by the virus. It does not attack the global template or document being closed in case that they already contain the macro AutoClose. The virus is consistently polymorphic and internally cryptic – all names of functions, subprograms, variables, constants and flags in the body are polymorphic. The substantial part of the virus, i.e. its source lines in Word Basic are encrypted, each new virus generation is encrypted by a different value. At spreading the virus first creates a new macro with a random name and enters its whole decrypted body into it. Then it alters names of all variables, subprograms, functions and flags and generates random names with length from 10 to 19 characters for them (that explains also the variable length of the virus macro). Then the virus internally encrypts substantial part of its body by means of a random constant value which is changed for each virus generation. But even before that the virus alters some names also in this encrypted part. The whole virus was written with intention to make its detection as difficult as possible. The virus does not contain any destructive codes but on each 4th and 11th day in a month it reveals its presence by displaying the following text:

You're infected by WordMacro.SlovakDictator virus Welcome to the LME (Lamer's Macro Engine) ver. 1.00 Dis is Level 421 (c) 1-mar-97, Nasty Lamer & Ugly Luser, Slovakia Dis is the first world true polymorphic macro virus !
Big fuck to the big boxer V.M Accept/Suhlas

The virus was given its name “Slow” because of unbelievably slow process of attacking documents which sometimes takes even more than 10 seconds.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.