Antisocial.E is an encrypted Word 97 virus that contains Melissa
like code. The virus consists of two parts - one small decrypting
code and an encrypted code that contains the replicating part,
Visual Basic Script and the mass mailing part.
When an infected document is opened, the virus first decrypts
itself, infects the global template and encrypts back. Further
the virus replicates in all opened documents.
During the infection of the global template Antisocial.E drops
two files on the root of C: drive. The first file C:\SS.BAS
contains the encrypted virus code. The second file C:\SS.VBS is a
Visual Basic Script. If executed it will open MS Word Application
and will infect it by adding its code from the SS.BAS file.
Visual Basic Script can be run if WSH (Windows Script Host) is
installed. This is by default in Windows 98. To ensure that the
Visual Basic Script is executed the virus changes Windows
registry on such a way that next time when the computer is
rebooted it will infect MS Word. After disinfection of the macro
virus it is important to remove the SS.BAS file and the Visual
Basic Script SS.VBS as well. Otherwise the virus will reinfect
the system from the dropper C:\SS.VBS.
The encrypted part of the virus code contains also Melissa like
code. First time when the virus infects a system it sends a
message using MS Outlook Application to first 60 recipients
listed in each users address book. The message looks as follow:
From: (name of infected user)
Subject: Important Message From (name of infected user)
Body: "Look what I found..."
To: (60 names from alias list)
Attachments: Active infected document
After that Antisocila.E changes Windows registry settings
inserting a key "Sixtieth Skeptic" with a value "Where's Jamie?".
Later it checks this value and do not spreads via email anymore
on the same system.
Currently there is no reports for this virus to be in the wild.
[Analysis: Katrin Tocheva, F-Secure]
