Name: MDMA Virus
Type:Word Macro Virus
The MDMA macro virus consists of a single macro, AutoClose. It
infects under all versions of WinWord 6.0 and above; i.e., both Mac and
On the 1st of any month activates its payload. The payload depends on the
- On Macs, the virus intends to delete all files in the current
folder. Due to a bug, a syntax error occurs and no damage is done.
- On WinNT, the virus deletes all files in the current directory and
the file c:\shmk.
- On Windows 3.1, the virus deletes the file c:\shmk and overwrites
C:\AUTOEXEC.BAT with the following commands:
deltree /y c:
@echo You have just been phucked over by a virus
- On Win95, the virus deletes the files c:\shmk, c:\windows\*.hlp, and
c:\windows\system\*.cpl and sets in the Registry the Accessibility
options Stickykeys and HighContrast to ON, and the execution of login
scripts during network logon to OFF. Due to a bug, it doesn't succeed in
setting the HighContrast option.
After performing one of the above actions, the virus displays a message box
with the following contents:
You are infected with MDMA_DMV.
Brought to you by MDMA (Many Delinquent Modern Anarchists).
This analysis was based on information provided by Vesselin Bontchev, Frisk