| Name: MDMA Virus
 Type:Word Macro Virus
 Description:
 
The MDMA macro virus consists of a single macro, AutoClose. It
infects under all versions of WinWord 6.0 and above; i.e., both Mac and
PC platforms.
 
On the 1st of any month activates its payload. The payload depends on the 
platform. 
 
 
On Macs, the virus intends to delete all files in the current
folder. Due to a bug, a syntax error occurs and no damage is done.
On WinNT, the virus deletes all files in the current directory and
the file c:\shmk.
On Windows 3.1, the virus deletes the file c:\shmk and overwrites
C:\AUTOEXEC.BAT with the following commands:
	@echo off
	deltree /y c:
	@echo You have just been phucked over by a virus
 
On Win95, the virus deletes the files c:\shmk, c:\windows\*.hlp, and
c:\windows\system\*.cpl and sets in the Registry the Accessibility
options Stickykeys and HighContrast to ON, and the execution of login
scripts during network logon to OFF. Due to a bug, it doesn't succeed in
setting the HighContrast option.
 
After performing one of the above actions, the virus displays a message box
with the following contents:
 
You are infected with MDMA_DMV. 
Brought to you by MDMA (Many Delinquent Modern Anarchists). 
This analysis was based on information provided by Vesselin Bontchev, Frisk
Software.
 
 |