Doeii
Summary
Doeii is a Word macro virus that encrypts documents it infects.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Doeii.A
W97M/Doeii.A infects document when it is opened or when a new document is created.
After the infection and when the document is opened, depending on a random number, the virus shows a message box:
w97.LAM, by LiFEwiRE [www.shadowvx.org]
with a title
...::LiFEwiRE::...
After this it replaces the contents of the active document with the following string:
LiFEwiRE2000 - www.shadowvx.org
and saves it with a password "pietje". This means that the contents of all documents encrypted with this password are lost.
Doeii tries to hook ToolsMacro and ViewVBCode menus by inserting a comment to the text
"(c) LiFEwiRE 2000 "
and the address of the above VX site (already closed).
The virus code also contains the following commented lines:
'(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r 't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!