F-Secure
Tools
Disco
| ALIAS: | Poppy |
Summary
W97M/Disco is a fairly simple Word 97 macro virus, and it infects the "NORMAL.DOT" when an infected document is opened. After that it will infect every document that is opened.Additional Details
Beside replication, the virus creates an autorun file ("autorun.inf") to the root of the "C:" drive with a random icon.The virus hooks some of the menu selections as well. Menu selections "Help/About" and "Tools/Macros/Visual Basic Editor" is replaced with a three different message boxes:
W97M/Disco.Poppy by VicodinES
Everything is fine - nothing to see here - let's move it along kids!
Social camouflage for this modern age!
The virus activates its payload on every day at 12:00:01 pm if user selects one of the "Tools/Macros/Macro", "File/Print" or "File/Templates" menu selections.
If user selected "Tools/Macros/Macro" or "File/Templates" menu, it deletes the entire active document, and inserts the following text:
Macro.Poppy.I aka Disco.Poppy
By VicodinES
Macro Virus for Word 97
T h e N a r k o t i c N e t w o r k !
If user selected "File/Print" menu, the text will be as follows:
When will you wake up and realize that we live in a
primitive society? Don't kid yourself - there is NO GOD!!
This text will be inserted to the end of the document and then the document will be printed.
| VARIANT: | Disco.B |
Otherwise it is very similar to W97M/Disco.A variant, there is only slight changes in the texts and messages that it displays.
| VARIANT: | Disco.C |
| VARIANT: | Disco.D |
| VARIANT: | Disco.E |
[Analysis: Sami Rautiainen, F-Secure]