| Description:
|
Details
Macro.Word97.Spooky
This macro-virus contains one macro Document_Close, and spreads on document closing.
While infecting the global macros area (NORMAL.DOT), the virus appends to the end of its code the additional information about the current user: system date and time, UserName and UserAddress. On the1st of each month, the virus saves this information to the HSF.SYS file (where "number" is a randomly generated number), then sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110. It seems that this address can be accessed by the virus writer that will get information about the speed of virus spreading.
The virus code contains the ID-strings:
<- this is a marker!
Logfile -->
Spooky.d (Caligula)
On the 1st run on a computer, the virus searches on the disk for a SECRING.SKR file containing PGP private keys. Then it sends this file by FTP client under "user anonymous" to the incoming directory on the ftp server with the address 209.201.88.110.
On the 1st of each month, the virus displays the message:
WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
No nsa,
No satellite,
Could map our veins.
The virus also changes Summary Info of documents:
Author Opic
Title WM97/Caligula Infection
Subject A Study In Espionage Enabled Viruses.
Comments The Best Security Is Knowing The Other Guy Hasn't Got Any.
Keywords Caligula, Opic, CodeBreakers |
