Threat Description

Cybernet

Details

Aliases: Cybernet, O97M/Cybernet, Macro.Office.Cybernet
Category: Malware
Type: Virus
Platform: W97M

Summary



F-Secure has not received direct reports of this virus from the field, but we have second-hand reports confirming limited in-the-wild sightings of this virus in Australia and Canada.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Cybernet is based on W97M/Pri.Q. The worm part of the virus is quite close to Melissa, as it is a macro virus which uses Outlook to spread to the first 50 addresses in the local address book. However, Cybernet infects Excel's XLS files as well as Word's DOC files.

Further information about W97M/Pri.Q is available at http://www.F-Secure.com/v-descs/pri.shtml

The virus creates an infected workbook to the Excel startup directory, "CyberNET.xls", to infect Excel.

In addition, the virus disables the macro virus warning from both Excel and Word.

The e-mail messages sent by Cybernet look like this:

From: name-of-the-infected-user
  To: random-name-from-address-book
  Subject: You've GOT Mail !!!
 Please, saved the document after you read and don't show to
  anyone else. The document is also VIRUS FREE...so DISREGARD the
  virus protection warning !!!
 Attachment: random infected DOC file

Cybernet will attempt to activate in August or December when it tries to format the hard drive.

The payload activates on 17th of August or 25th of December when it replaces c:\autoexec.bat with the text:

Vine...Vide...Vice...Moslem Power Never End...
 I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!!
          Brought To You From INDONESIA...

A command to format the C:\ drive is added to c:\autoexec.bat as well. It will be executed when the Windows 95/98 system restarts. Furthermore, the virus modifies the c:\config.sys file in a way that the execution of autoexec.bat cannot be bypassed with F5 or F8 keys.

On the activation dates the virus adds a random number of random shapes to the active document and shows this message:

Assalamualaikum Li Kulli Muslim...Moslem Power Never End...
  Nothing Can Stop << CyberNET >> Virus. Your System Has Already Infected !!!
  Now...I Am Outta Here...

Then the virus exits Windows. This will allow the virus to execute autoexec.bat which will try to format the C: drive.

When the payload activates in the Excel it adds a random number of comments to the active workbook. Otherwise the payload is the same as the payload in the Word part.

The virus code contains three additional comments:

W97M/CyberNET (C)2000 - Indonesia By AnomOke!
  I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!!
 anti-heuristic for stupid McAfee antivirus scanner
 anti-heuristic for stupid Norton antivirus scanner

O97M/Cybernet.A is slightly polymorphic; it changes it's code between infections.





Technical Details: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure Corporation


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More