Summary

Backhand is a polymorphic Word 97 macro virus which payload simulates the Y2K-problem.

The virus replicates when an infected document is opened, closed or a new one is created.

Backhand.A first disables the build-in macro virus protection. After that it drops its code in a file "sysboot.bin" to the root of "C:" drive and uses it to infect global template and documents.

When infects documents the virus change some of its subroutine names with random ones.

The virus contains a few payloads. First of them activates when the day of the month is 13. Than it saves the active document with a random password and shows a message:

 
        Your document has been corrupted because of a bug in Word!
        Call Microsoft Customer Support, they can help you. When you
        call, tell them this Bug-ID Code (don't forget it!)

If the day is also Friday then Backhand.A shows another message:

 
         Have A Nice Day!
         It's Friday 13th! This is my lucky day, I hope it's
         yours too!

The last payload activates in year 2000 or later when Backhand.A change the system date to January 1st 1980.

[Analysis: Katrin Tocheva, F-SECURE]