Antisocial

Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Antisocial, Antisocial.E

Summary

Antisocial.E is an encrypted Word 97 virus that contains Melissa like code. The virus consists of two parts - one small decrypting code and an encrypted code that contains the replicating part, Visual Basic Script and the mass mailing part.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When an infected document is opened, the virus first decrypts itself, infects the global template and encrypts back. Further the virus replicates in all opened documents.

During the infection of the global template Antisocial.E drops two files on the root of C: drive. The first file C:\SS.BAS contains the encrypted virus code. The second file C:\SS.VBS is a Visual Basic Script. If executed it will open MS Word Application and will infect it by adding its code from the SS.BAS file. Visual Basic Script can be run if WSH (Windows Script Host) is installed. This is by default in Windows 98. To ensure that the Visual Basic Script is executed the virus changes Windows registry on such a way that next time when the computer is rebooted it will infect MS Word. After disinfection of the macro virus it is important to remove the SS.BAS file and the Visual Basic Script SS.VBS as well. Otherwise the virus will reinfect the system from the dropper C:\SS.VBS.

The encrypted part of the virus code contains also Melissa like code. First time when the virus infects a system it sends a message using MS Outlook Application to first 60 recipients listed in each users address book. The message looks as follow:

From: (name of infected user)
Subject: Important Message From (name of infected user)
Body: "Look what I found..."
To: (60 names from alias list)
Attachments: Active infected document

After that Antisocila.E changes Windows registry settings inserting a key "Sixtieth Skeptic" with a value "Where's Jamie?". Later it checks this value and do not spreads via email anymore on the same system.

Currently there is no reports for this virus to be in the wild.