W97M/Doeii.A infects document when it is opened or when a new
document is created.
After the infection and when the document is opened, depending on
a random number, the virus shows a message box:
w97.LAM€ by LiFEwiRE [www.shadowvx.org]
with a title
After this it replaces the contents of the active document with
the following string:
LiFEwiRE2000 - www.shadowvx.org
and saves it with a password "pietje". This means that the contents
of all documents encrypted with this password are lost.
Doeii tries to hook ToolsMacro and ViewVBCode menus by inserting a
comment to the text
"(c) LiFEwiRE 2000 "
and the address of the above VX site (already closed).
The virus code also contains the following commented lines:
'(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r
't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!
[Analysis: Katrin Tocheva, F-Secure, August 2000]