F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Chantal





NAME:Chantal

W97M/Chantal is a Word 97 macro virus that drops a Visual Basic Script and a batch virus. It also has a destructive payload.

VARIANT:Chantal.A

When an infected document is opened, the virus disables the built-in macro virus protection. It also disables the "Tools\Macro" menu and lowers the security settings from Word 2000.

It drops a batch virus to "C:\CB2.BAT". The execution of this batch file is added to the end of the "C:\Autoexec.bat". The batch virus is able to replicate to other batch (*.bat) files in the current directory. Therefore, it infects only files in the root of the "C:" drive.

The virus creates another two files, "c:\windows\cb4.vxd" and "c:\windows\system\cb1999.vbs". It modifies the registry in a such way that the script file will be executed every time when the system is restarted if the Windows Scripting Host is installed. The script will infect the Word's global template, if it is not yet infected.

The virus changes the registed owner of Windows to: 

    Chantal 4ever!

It also changes the comment from the document summary to: 

	Chantal B. 4ever - Hennie & Mark

The payload of this virus activates on year 2000. Then it deletes files from the current directory and from the root of the "C:" drive. Then it shows a message box with the following text: 

	Chantal 4ever!

Futher, in every 31st day of each month it shows an Office Assistant with the same message but does not delete any files.

VARIANT:Chantal.B

This variant is slightly modified. The payload of Chantal.B also activates on year 2000 when it deletes all files from the root directory of "C:\" drive and from the current directory, but the message box that this variant shows is: 

        Welcome To Y2K

If the day is 31st of each month, Chantal.B shows Office Assistant with the following text and heading: 

	Heading: MK Words V.2
	Text:    Y2K is Coming Soon...

Also the following text has been added on the top of the code: 

         MK-Words 2
         From the MKVG - The Lion City

and 

        MKVG had present MK Words Version 2
        (C) May 1999

at the end.

This variant uses "MKV" instead of "CB" for all files that it drops.

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]