Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Astia


Aliases:


Titasic
Astia.A

Malware
Virus
W97M

Summary

W97M/Astia is a Word 97 macro virus that activates when an infected document is opened. At this point it infects the global template and every document thereafter.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When the Word is closed, the virus creates two infected template files to the Word's startup directory: "SNrml.src" and "SNrml.dot".

The virus replaces the "Tools/Macros/Visual Basic Editor" and "Tools/Macros/Macro" menu selections with its own dialog box containing the following text:

Maaf..
        Anda jangan coba-coba mengedit, merubah, ataupun menghapus
        makro Titasic..!!
        Anda hanya bisa merekam makro, menyimpan, menggunakan
        serta menghapus makro buatan Anda
        Apakah Anda ingin merekam makro..?

If user selects "Yes" from the dialog box, the virus attempts to start the macro recorder.

Since October 10th, 1998 the virus activates its payload when Word has been running for 45 minutes. At this point it will create a new document with a form. This form will contain some graphics as well as the following texts one at the time:

Mungkin kehadiran TITASIC mengganggu kesibukan Anda, untuk itu
        maafkanlah kelancangan Titasic ..
        Ingat...!! Radiasi komputer berbahaya bagi Anda! So..
        istirahatlah sejenak biar enggak stres, pusing, uring-uringan,
        dsb..!
        Buat Cewek 'SINGLE' yang merasa dirinya Cakeup & Manis..,
        Salam dari Astia..!
        Mangga bilih bade didamel deui.!


Variant:Astia.B

W97M/Astia.B activates its payload since October 15th, 1998 when Word has been running for 45 minutes. Otherwise it is the same as W97M/Astia.A.


Variant:Astia.C

W97M/Astia.C is like W97M/Astia.A but the text that the virus shows when its payload activates is slightly modified.


Variant:Astia.L

ALIAS:Mamm

W97M/Astia.L uses different file names in the Word's startup directory, "MAMM.dot" and "MAMM.src", and it contains no payload.


Variant:Astia.O

This variant is like W97M/Astia.A but the Titasic macro has been removed and there is no payload.


Variant:Astia.Y

ALIAS:BMH

W97M/Astia.Y is a modified variant of W97M/Astia.A.

After August, 7th 1998 when the Word has been running for 15 minutes, the virus activates its payload. The payload changes the title text of Word to "Boo" and creates a new document with a form that contains the following texts:

  Infected Boomv1.01
    Me, No longer to stay in your computer!
    Beware of the Boomv1.01!
    BmH guess who(m) am I
    thanks to (UserName)

where "(UserName)" is replaced with the current user name.

The virus also replaces "Tools\Macros\Visual Basic Editor" and "Tools\Macros\Macro" with a dialog box with the following text:

  Are you sure want to create a new macro ?

If the user selects "Yes" button, the virus attempts to start the macro recorder.





Description Created: Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free