Threat Description

Bandung

Details

Category: Malware
Platform: W32
Aliases: Bandung

Summary


For background information on Word macro viruses, see the Concept virus.

WordMacro/Bandung consists of six macros; AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize. The virus is language dependent, ie. it is able to spread only under English version of Microsoft Word. The macros are not encrypted, but they can NOT be viewed from the Tools/Macro menu, since the virus replaces that menu command with it's own macro.

After the 19th of every month, when the time is after 10:00, the virus actives. At this time, it displays a dialog which says:

         Reading menu...Please wait !  

After this the virus deletes most of the files on drive C: and creates a file called C:\PESAN.TXT with the following texts in it:

   Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada   di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini   bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang   berhasil menemukan cara menangkal virus ini, saya aka" + "n memberi   listing virus ini untuk Anda !!! Dan tentu saja saya akan terus   datang kesini untuk memberi Anda salam dengan virus-virus terbaru   dari saya...selamat ! Bandung, Tueday, 26 November 1996, Jam: 11:24.  

This text is in Indonesian. In english it reads:

   It seems that you are having bad luck, all files in this machine   except those in WINDOWS and WINWORD directories have been lost.   Don't be surprised, it's not caused by your work, but mine... I will   send the listing of this virus to whoever successfully creates the   antivirus for it!!! And of course I will keep coming here to greet   you with my newest viruses. Congratulations! Bandung, Tuesday,   November 26, 1996, 11:24 AM.  

The virus also has code to replace all 'a' letters in the current document with this string: '#@'.

The virus might have been written by the same author as the Npad virus.

In addition to being in the wild in Asia, Bandung was found also in Norway in November 1996.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.







Description Details: Mikko Hypponen, F-Secure,Translation: Iwan Muljadani (daydream@indosat.net.id)


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More