antivirusprotection

Technical details:
This is the second macro-virus that also has pretensions to be The Number One in the “Macro.Visio” family. This virus is more complex than Macro.Visio.Radiant - it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes “Visio2k.Unstable” into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor’s main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it’s hard to be the one who’s strong
Who’s always got a shoulder to cry on
Who’s got a shoulder for me?
The virus contains three procedures in module “ThisDocument” - “Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.

Trackback URI |