F-Secure has not received direct reports of this virus from the field, but we have second-hand reports confirming limited in-the-wild sightings of this virus in Australia and Canada.
Disinfection & Removal
Cybernet is based on W97M/Pri.Q. The worm part of the virus is quite close to Melissa, as it is a macro virus which uses Outlook to spread to the first 50 addresses in the local address book. However, Cybernet infects Excel's XLS files as well as Word's DOC files.
Further information about W97M/Pri.Q is available at http://www.F-Secure.com/v-descs/pri.shtml
The virus creates an infected workbook to the Excel startup directory, "CyberNET.xls", to infect Excel.
In addition, the virus disables the macro virus warning from both Excel and Word.
The e-mail messages sent by Cybernet look like this:
From: name-of-the-infected-user To: random-name-from-address-book Subject: You've GOT Mail !!! Please, saved the document after you read and don't show to anyone else. The document is also VIRUS FREE...so DISREGARD the virus protection warning !!! Attachment: random infected DOC file
Cybernet will attempt to activate in August or December when it tries to format the hard drive.
The payload activates on 17th of August or 25th of December when it replaces c:\autoexec.bat with the text:
Vine...Vide...Vice...Moslem Power Never End... I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!! Brought To You From INDONESIA...
A command to format the C:\ drive is added to c:\autoexec.bat as well. It will be executed when the Windows 95/98 system restarts. Furthermore, the virus modifies the c:\config.sys file in a way that the execution of autoexec.bat cannot be bypassed with F5 or F8 keys.
On the activation dates the virus adds a random number of random shapes to the active document and shows this message:
Assalamualaikum Li Kulli Muslim...Moslem Power Never End... Nothing Can Stop << CyberNET >> Virus. Your System Has Already Infected !!! Now...I Am Outta Here...
Then the virus exits Windows. This will allow the virus to execute autoexec.bat which will try to format the C: drive.
When the payload activates in the Excel it adds a random number of comments to the active workbook. Otherwise the payload is the same as the payload in the Word part.
The virus code contains three additional comments:
W97M/CyberNET (C)2000 - Indonesia By AnomOke! I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!! anti-heuristic for stupid McAfee antivirus scanner anti-heuristic for stupid Norton antivirus scanner
O97M/Cybernet.A is slightly polymorphic; it changes it's code between infections.
Technical Details: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure Corporation