W97M/Chantal is a Word 97 macro virus that drops a Visual Basic Script and a batch virus. It also has a destructive payload.
Disinfection & Removal
When an infected document is opened, the virus disables the built-in macro virus protection. It also disables the "Tools\Macro" menu and lowers the security settings from Word 2000.
It drops a batch virus to "C:\CB2.BAT". The execution of this batch file is added to the end of the "C:\Autoexec.bat". The batch virus is able to replicate to other batch (*.bat) files in the current directory. Therefore, it infects only files in the root of the "C:" drive.
The virus creates another two files, "c:\windows\cb4.vxd" and "c:\windows\system\cb1999.vbs". It modifies the registry in a such way that the script file will be executed every time when the system is restarted if the Windows Scripting Host is installed. The script will infect the Word's global template, if it is not yet infected.
The virus changes the registed owner of Windows to:
It also changes the comment from the document summary to:
Chantal B. 4ever - Hennie & Mark
The payload of this virus activates on year 2000. Then it deletes files from the current directory and from the root of the "C:" drive. Then it shows a message box with the following text:
Futher, in every 31st day of each month it shows an Office Assistant with the same message but does not delete any files.
This variant is slightly modified. The payload of Chantal.B also activates on year 2000 when it deletes all files from the root directory of "C:\" drive and from the current directory, but the message box that this variant shows is:
Welcome To Y2K
If the day is 31st of each month, Chantal.B shows Office Assistant with the following text and heading:
Heading: MK Words V.2 Text: Y2K is Coming Soon...
Also the following text has been added on the top of the code:
MK-Words 2 From the MKVG - The Lion City
MKVG had present MK Words Version 2 (C) May 1999
at the end.
This variant uses "MKV" instead of "CB" for all files that it drops.
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure