1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Class

Class

Summary

This Word macro virus (also known as "MS Word 97 Macro Class Virus") infects Word 97 documents.

Additional Details

W97M/Class changes it's own code constantly by inserting comments that contain the current user name, date and time and information about the active printer.

The virus uses an effective way to hide its code. The virus installs its module to Word classes by using special WordBasic operators. The virus code is appended as a native Word component. As a result the virus is not visible in the Tools/Macro menu.

The virus creates a file "c:\class.sys" to replicate. This file can be safely deleted after the system has been disinfected.

W97M/Class activates on the 31st of every month. On this date it displays this message: 


    This Is Class
    o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
    o      VicodinES     /CB    /TNN      o
    o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o

VARIANT:Class.B

This is almost identical to Class.D except the displayed message is slightly different and the name of the registered user is not changed.

VARIANT:Class.D

W97M/Class.D activates on the 14th of the month from June to December. At this time it displays a message: 


        I Think (Name of the current user) is a big stupid jerk!
        VicodinES Loves You / Class.Poppy

Sometimes the virus also changes the registered company name to "Dr. Diet Mountain Dew".

VARIANT:Class.Q

This variant is functionally identical with Class.B.

VARIANT:Class.BV

W97M/Class.BV is a variant that does not contain any payload. Furthermore, it does not create a temporary file to replicate.

VARIANT:Class.CN
ALIAS:Mad Cow

This variant of Class is also known as Mad Cow. It is related to the famous Melissa virus as well.

Class.CN spreads in Word documents and transfers itself via e-mail, using Microsoft Outlook. It sends e-mail to the first 20 aliases listed in Outlook Address Book.

The messages look like this: 


        From: (name of infected user)
        Subject: Mad Cow Joke
        To: (20 names from alias list)




        Beware of the spread of the Madcow Disease




        Attachment: (random document infected with Syndicate)

Do notice that Class.CN can arrive in any document, not necessarily just in MADCOW.DOC in which it was initially distributed.

Another noticeable and a major difference that makes it different from Melissa and Syndicate: Class.CN re-sends the messages only when an infected document is opened or closed in an infected system.

W97M/Class.CN is a polymorphic virus which means that it changes it's own code every time it replicates. It uses a file called C:\V.SYS while spreading.

The virus contains these comments that are never shown to the user: 


        'WORD/VERONICA // thanks to WORD/MELLISA & WORD/CLASS

VARIANT:Class.EB

W97M/Class.EB is a non-polymorphic variant of W97M/Class. The file name that it uses to replicate has been changed to "c:\normal.do".

This virus activates its payload on the 11th day of each month when it displays a message box with the following text: 


    Internal Error!  Restart Word.


[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]