WordMacro/Bandung consists of six macros; AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize. The virus is language dependent, ie. it is able to spread only under English version of Microsoft Word. The macros are not encrypted, but they can NOT be viewed from the Tools/Macro menu, since the virus replaces that menu command with it's own macro.
For background information on Word macro viruses, see the Concept virus.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
After the 19th of every month, when the time is after 10:00, the virus actives. At this time, it displays a dialog which says:
Reading menu...Please wait !
After this the virus deletes most of the files on drive C: and creates a file called C:\PESAN.TXT with the following texts in it:
Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang berhasil menemukan cara menangkal virus ini, saya aka" + "n memberi listing virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini untuk memberi Anda salam dengan virus-virus terbaru dari saya...selamat ! Bandung, Tueday, 26 November 1996, Jam: 11:24.
This text is in Indonesian. In english it reads:
It seems that you are having bad luck, all files in this machine except those in WINDOWS and WINWORD directories have been lost. Don't be surprised, it's not caused by your work, but mine... I will send the listing of this virus to whoever successfully creates the antivirus for it!!! And of course I will keep coming here to greet you with my newest viruses. Congratulations! Bandung, Tuesday, November 26, 1996, 11:24 AM.
The virus also has code to replace all 'a' letters in the current document with this string: '#@'.
The virus might have been written by the same author as the Npad virus.
In addition to being in the wild in Asia, Bandung was found also in Norway in November 1996.