Threat Descriptions

Backhand

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

Backhand, Backhand.A

Summary

Backhand is a polymorphic Word 97 macro virus which payload simulates the Y2K-problem.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus replicates when an infected document is opened, closed or a new one is created.

Backhand.A first disables the build-in macro virus protection. After that it drops its code in a file "sysboot.bin" to the root of "C:" drive and uses it to infect global template and documents.

When infects documents the virus change some of its subroutine names with random ones.

The virus contains a few payloads. First of them activates when the day of the month is 13. Than it saves the active document with a random password and shows a message: 

 Your document has been corrupted because of a bug in Word!
 Call Microsoft Customer Support, they can help you. When you
 call, tell them this Bug-ID Code (don't forget it!)

If the day is also Friday then Backhand.A shows another message: 


Have A Nice Day!

It's Friday 13th! This is my lucky day, I hope it's

yours too!

The last payload activates in year 2000 or later when Backhand.A change the system date to January 1st 1980.