W97M/Bioskiller is a Word 97 macro virus which claims to activate on the 26th of every month and to overwrite the contents of the Flash BIOS chip of the machine.
However, due to serious design flaws and bugs, it only attempts to overwrite the CMOS memory and even this fails.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When first executed, the virus exports its code in two files on the hard disk: C:\BK.sys (contains BiosKiller macro code) and C:\APVBK.sys (contains BiosKiller1 macro code). After that it uses AddFromFile and Insert commands to insert its code to Global template.
Virus replaces several Word menu entries with macros that simply display a messagebox.
The virus uses an old macro stealth technic to hide the Tools/Macro/Visual Basic Editor menu. This way the user does not see the macro virus code.
If the user chooses menu Help/About, the virus will replace the 5th entry in Help menu with this text: "A propos du Virus BiosKiller".
The payload of the virus consists of two parts.
1. When the minutes or the seconds are 26, the virus displays a message in French (see below)
2. If the date is the 26th of any month the virus will show another French message (see below)
After that the virus drops a small Basic program to root directory of drive C: (C:\CMOS.BAS) and runs it with QBASIC shell. This Basic program claims it can erase Flash Bios, but actually it was created to erase CMOS memory only by writing its own ASCII code to CMOS storage area. There are several fatal errors in the program and CMOS memory will never be overwritten, instead the QBASIC shell will report an error and program execution will be terminated.
After this the virus exits Word.
The virus contains several French texts, which are translated here to English:
Vous feriez mieux de vous acheter un AV...Virus BiosKiller You'd better buy you an AV tool... Virus BiosKiller A propos du Virus BiosKiller About the Virus BiosKiller Vous connaissez le virus CIH ? Je fais la meme chose que lui..." Do you know the virus CIH? I do the same thing... Votre Bios va subir des changements... HAHA Your Bios is going to be modified......HAHA Votre Bios a ete flashe, HAHA!!! Your Bios has been flashed, HAHA!!! Je vais redemarrer votre ordinateur... I am going to reboot your PC... Je suis un virus comme CIH... I am a virus like CIH...