Threat Description

Backhand

Details

Aliases:Backhand, Backhand.A
Category: Malware
Type:
Platform: W32

Summary



Backhand is a polymorphic Word 97 macro virus which payload simulates the Y2K-problem.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The virus replicates when an infected document is opened, closed or a new one is created.

Backhand.A first disables the build-in macro virus protection. After that it drops its code in a file "sysboot.bin" to the root of "C:" drive and uses it to infect global template and documents.

When infects documents the virus change some of its subroutine names with random ones.

The virus contains a few payloads. First of them activates when the day of the month is 13. Than it saves the active document with a random password and shows a message:

  Your document has been corrupted because of a bug in Word!
  Call Microsoft Customer Support, they can help you. When you
  call, tell them this Bug-ID Code (don't forget it!)

If the day is also Friday then Backhand.A shows another message:

Have A Nice Day!
It's Friday 13th! This is my lucky day, I hope it's
yours too!

The last payload activates in year 2000 or later when Backhand.A change the system date to January 1st 1980.





Technical Details: Katrin Tocheva, F-SECURE


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More