| Description:
|
Details
Macro.Word.Uhrjap family
These macro viruses contain different number of macros:
"Uhrjap.a": one, DelNew, autoopen, autoclose, normclose
"Uhrjap.b": Eee, autoclose, ToolsMacro, FileTemplates, ToolsCustomize,
Oao, autoopen.
They infect the global macros area on opening an infected document. Other documents get infection on closing.
"Uhrjap.b" is the stealth virus: on entering the Tools/Macro, Tools/Customize or File/Templates menus the virus removes its macros from a document, and as a result its code is not visible in macro viewing menus.
The viruses have destructive payload. "Uhrjap.a" on each 20'th opening starts a procedure that every 10 minutes counts the characters in the document. If the count it the same (haven't changes during 10 minutes), the virus renames all files in the root directory and first level directories on the C:, D: and E: drives with the names "~TLPxxx.TMP", where "xxx" is ordinal number of file in a directory. The virus also runs this renaming procedure with probability 2% on any document opening.
The "Uhrjap.b" virus on document opening or closing with probability 1/30 saves document with new password "uhrjap-uhrjap", or prints document, or deletes from document all space characters and replaces all digits with the "#" character. It also with probability 1/50 activates its payload procedure that is similar with "Uhrjap.a" virus: it renames all files in the root directory and first level directories on the C:, D: and E: drives with the name "~037xxx.TMP" where "xxx" is ordinal number of file in a directory. |
