F-Secure Virus Descriptions : BiosKiller

W97M/Bioskiller is a Word 97 macro virus which claims to activate on the 26th of every month and to overwrite the contents of the Flash BIOS chip of the machine.

However, due to serious design flaws and bugs, it only attempts to overwrite the CMOS memory and even this fails.

When first executed, the virus exports its code in two files on the hard disk: C:\BK.sys (contains BiosKiller macro code) and C:\APVBK.sys (contains BiosKiller1 macro code). After that it uses AddFromFile and Insert commands to insert its code to Global template.

Virus replaces several Word menu entries with macros that simply display a messagebox.

The virus uses an old macro stealth technic to hide the Tools/Macro/Visual Basic Editor menu. This way the user does not see the macro virus code.

If the user chooses menu Help/About, the virus will replace the 5th entry in Help menu with this text: "A propos du Virus BiosKiller".

The payload of the virus consists of two parts.

1. When the minutes or the seconds are 26, the virus displays a message in French (see below)

2. If the date is the 26th of any month the virus will show another French message (see below)

After that the virus drops a small Basic program to root directory of drive C: (C:\CMOS.BAS) and runs it with QBASIC shell. This Basic program claims it can erase Flash Bios, but actually it was created to erase CMOS memory only by writing its own ASCII code to CMOS storage area. There are several fatal errors in the program and CMOS memory will never be overwritten, instead the QBASIC shell will report an error and program execution will be terminated.

After this the virus exits Word.

The virus contains several French texts, which are translated here to English:

        Vous feriez mieux de vous acheter un AV...Virus BiosKiller
        You'd better buy you an AV tool... Virus BiosKiller