This is almost identical to Class.D except the displayed message is
slightly different and the name of the registered user is not changed.
W97M/Class.D activates on the 14th of the month from June to December.
At this time it displays a message:
I Think (Name of the current user) is a big stupid jerk!
VicodinES Loves You / Class.Poppy
Sometimes the virus also changes the registered company name to
"Dr. Diet Mountain Dew".
This variant is functionally identical with Class.B.
W97M/Class.BV is a variant that does not contain any payload.
Furthermore, it does not create a temporary file to replicate.
This variant of Class is also known as Mad Cow. It is related to the
famous Melissa virus as well.
Class.CN spreads in Word documents and transfers itself via e-mail,
using Microsoft Outlook. It sends e-mail to the first 20 aliases
listed in Outlook Address Book.
The messages look like this:
From: (name of infected user)
Subject: Mad Cow Joke
To: (20 names from alias list)
Beware of the spread of the Madcow Disease
Attachment: (random document infected with Syndicate)
Do notice that Class.CN can arrive in any document, not necessarily
just in MADCOW.DOC in which it was initially distributed.
Another noticeable and a major difference that makes it different
from Melissa and Syndicate: Class.CN re-sends the messages only when
an infected document is opened or closed in an infected system.
W97M/Class.CN is a polymorphic virus which means that it changes it's
own code every time it replicates. It uses a file called C:\V.SYS
while spreading.
The virus contains these comments that are never shown to the user:
'WORD/VERONICA // thanks to WORD/MELLISA & WORD/CLASS
W97M/Class.EB is a non-polymorphic variant of W97M/Class. The file
name that it uses to replicate has been changed to "c:\normal.do".
This virus activates its payload on the 11th day of each month when
it displays a message box with the following text:
Internal Error! Restart Word.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
