Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


This is a polymorphic, encrypted virus using “stealth” techniques. It spreads in the environments of MS Word version 7. In fact almost the whole body of the (macro) virus is stored outside the macro area in the item of AutoText under the name that is polymorphic in each next generation. After they are attacked by the virus the infected documents contain an encrypted macro of the virus with name AutoOpen. The virus marks each already infected document by creating a variable of the document with the name “A” and stores the polymorphic text with length varying from 4 to 6 characters into it. After the infection there are encrypted macros of the virus with names FileSave and ToolsMacro in the global template (NORMAL.DOT). Both these macros are identical (they have the same contents). The average length of macros (of their binary representation) is about 340 bytes but depending on the random numbers generator it may start already from 200 bytes. Infection of the global template takes place automatically when a document infected by this virus is opened. When the global template is infected the virus attacks a document at each write. If a document or global template already contains macros with names identical with names of virus macros the infection will not take place. A polymorphic macro has varying names of variables, flags, items of AutoText, in short of everything what the virus uses. Length of polymorphic names is from 4 to 6 characters. Its polymorphism is on such a high level that more complicated commands of Word Basic are permutated. This virus is the first that uses this technology. Generator of polymorphic macros randomly enters so called “empty commands” to random location of the macro body. Some of the following empty commands may be used, i.e. a line with such command is entered into macro:

  • with linking a random number to the polymorphic variable
  • with linking a random string of characters to the polymorphic variable
  • so called commentary line with polymorphic contents
  • entering of an empty line
  • linking a value of function RND() or NOW() to polymorphic variable

In the macro of the virus may or may not be present one of the following two lines:

REM (c) Nasty Lamer & Ugly Luser, Slovakia
REM Do not forget: SlovakDictator is mother of all macro viruses of the new generation !

The virus does not contain any destructive code. Instead of that it alters the set name of the program MS Word user to Nasty and initials to Ugly. A user of the file infected by this virus has to face an unpleasant fact that as the result of the implemented “stealth” technology some menu items in the MS Word environment will be inaccessible for him.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.