Backhand is a polymorphic Word 97 macro virus which payload
simulates the Y2K-problem.
The virus replicates when an infected document is opened, closed or
a new one is created.
Backhand.A first disables the build-in macro virus protection.
After that it drops its code in a file "sysboot.bin" to the root
of "C:" drive and uses it to infect global template and
documents.
When infects documents the virus change some of its subroutine
names with random ones.
The virus contains a few payloads. First of them activates when
the day of the month is 13. Than it saves the active document
with a random password and shows a message:
Your document has been corrupted because of a bug in Word!
Call Microsoft Customer Support, they can help you. When you
call, tell them this Bug-ID Code (don't forget it!)
If the day is also Friday then Backhand.A shows another message:
Have A Nice Day!
It's Friday 13th! This is my lucky day, I hope it's
yours too!
The last payload activates in year 2000 or later when Backhand.A
change the system date to January 1st 1980.
[Analysis: Katrin Tocheva, F-SECURE]
