F-Secure Virus Descriptions : Disco
W97M/Disco is a fairly simple Word 97 macro virus, and it infects the
"NORMAL.DOT" when an infected document is opened. After that it will
infect every document that is opened.
Beside replication, the virus creates an autorun file ("autorun.inf")
to the root of the "C:" drive with a random icon.
The virus hooks some of the menu selections as well. Menu selections
"Help/About" and "Tools/Macros/Visual Basic Editor" is replaced with a
three different message boxes:
W97M/Disco.Poppy by VicodinES
Everything is fine - nothing to see here - let's move it along kids!
Social camouflage for this modern age!
The virus activates its payload on every day at 12:00:01 pm if user
selects one of the "Tools/Macros/Macro", "File/Print" or
"File/Templates" menu selections.
If user selected "Tools/Macros/Macro" or "File/Templates" menu, it
deletes the entire active document, and inserts the following text:
Macro.Poppy.I aka Disco.Poppy
By VicodinES
Macro Virus for Word 97
T h e N a r k o t i c N e t w o r k !
If user selected "File/Print" menu, the text will be as follows:
When will you wake up and realize that we live in a
primitive society? Don't kid yourself - there is NO GOD!!
This text will be inserted to the end of the document and then the
document will be printed.
This variant, W97M/Disco.B, creates a batch file to the Windows'
startup directory "C:\windows\startm~1\programs\startup\msfile.bat"
which attempts to remove the "NORMAL.DOT" if it is read-protected at
the next time the Windows is restarted.
Otherwise it is very similar to W97M/Disco.A variant, there is only
slight changes in the texts and messages that it displays.
This variant is functionally identical with W97M/Disco.A.
This variant has no payload and it displays no messages.
W97M/Disco.E is sligtly modified variant of W97M/Disco.D. Additionally
it hooks "Tools/Macros/Macro" menu rendering it unusable.
[Analysis: Sami Rautiainen, F-Secure]
|
