Jun
20
2007
Aliases:
Trojan-Downloader.JS.Weis.b (Kaspersky Lab) is also known as: TrojanDownloader.JS.Weis.b (Kaspersky Lab), VBS/Psyme (McAfee),  Downloader.Trojan (Symantec),  JS/Psyme (Grisoft),  Exploit.ADODB.Stream.Gen (SOFTWIN),  VBS/TrojanDownloader.Psyme.NAF (Eset)
Description added   May 10 2007
Behavior                   TrojanDownloader
Technical details:
This is a Trojan downloader program. It is written in JavaScript. It can be found on web pages.
Payload:
The Trojan uses Microsoft.XMLHTTP to download a file from an address which is given as a parameter. This file will be saved using ADODB.Stream to C:\Program Files\Internet Explorer\
The file will then be launched for execution by a function which will vary in accordance with the version of Windows. Removal instructions:
-Delete the page with the malicious code, if it was launched from a local resource.
-Update your antivirus databases and perform a full scan of the computer.
Jun
13
2007
Technical details:
This is the second macro-virus that also has pretensions to be The Number One in the “Macro.Visio” family. This virus is more complex than Macro.Visio.Radiant - it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes “Visio2k.Unstable” into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor’s main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it’s hard to be the one who’s strong
Who’s always got a shoulder to cry on
Who’s got a shoulder for me?
The virus contains three procedures in module “ThisDocument” - “Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.
