| Description:
|
Details
Macro.Word.OutLaw
These are semi-polymorphic macro viruses - while infecting a file they copy their three macros with random selected names, so there are no fixed set for macros' names in infected files and NORMAL.DOT.
To realize this semi-polymorphism the virus uses system random counter and timer - while selecting new name for macro the virus sets the first letter in name depending on current hour: 1 - 'A', 2 - 'B', 3 - 'C' and so on, and then appends four random selected digits. As a result random selected names look like: O8493, O7920, O9259, or M8064, M8908, M8151.
Other version of this virus may use other schemes to build the names, "Outlaw.Goodbye" also starts the macro names according to current hour, but uses other set of letters: 1 - 'AZ', 2 - 'BY', 3 - 'CX', and so on.
There are no auto-macros in virus, and to get control the virus assigns its macros with keystrokes: SPACE key - macros that infects global macros area, 'E' key - macros that infects current document.
To get the name of current macro while copying it and to run its payload macro the virus uses two ways. To get its names from a document the virus creates three variables in document: VirNameDoc, VirName, VirNamePayload, and saves there current names while infecting. In case of need the virus gets these names from there.
To get the names in case of NORMAL.DOT (global macros area) the virus creates three records containing current names in System Profile (WIN.INI file) in [Intl] section, these strings are:
[Intl]
Name=
Name2=
Name3=
On January 20 original "Outlaw" virus runs its trigger routine. Under Windows95 and depending on several other conditions the virus plays a sound - it drops LAUGH.WAV file and plays it (this file contains recorded laugh). The virus also inserts in current document the strings:
You are infected with
Outlaw
A virus from Nightmare Joker
There is an encrypted variant of original "Outlaw" - the "Outlaw.b" virus.
"Outlaw.Black" contains two macros with 8-letters random names (for example - DIJRCJCY, DOFYBPIT). This virus displays the message box:
BlackKnight
"Outlaw.Goodbye" is encrypted, plus to three random-named macros it contains two "stealth" macros - ToolsMacro and ExtrasMakro. While selecting Tools/Macro menu the virus shows "dummy" menus and displays error messages in the same way the Magnum virus does.
On October 10 this virus drops and runs "VLAD.Goodbye" DOS virus, creates new template and writes the text to there:
You are infected with the MooNRaiDer Virus!
Greetings to all members of Vlad!
I hope that's not the end!
The scene would be to boring without this very good group!
Nightmare Joker
This virus then creates SystemProfile section (WIN.INI file):
[Vlad]
Goodbye=Yes |
