VirusWM/Npad.A
Analysis
- Viral consists of a single macro and is infectious
in the Word6/7 environment
- Virus hooks the Word event handler which prevents
the opening of infected documents
- Virus creates or modifies an entry in the WIN.INI
in the section [Compatibility] with a counter value;
on the first infection, the value may look like this
-
[Compatibility]
NPAD328=1And after each infection or running of the macro, the NPAD counter is incremented by one; when the counter reaches 23, the virus displays this text in the Status bar in Word, and resets the counter to zero -
" D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia"
-
Virus name is derived from a comment line near the top of the virus code -
'D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia
'Macro MsWord virus, multiplatform, multi versi
