1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Doeii

Doeii

Summary

Doeii is a Word macro virus that encrypts documents it infects.

VARIANT:Doeii.A

Summary



W97M/Doeii.A infects document when it is opened or when a new document is created.

After the infection and when the document is opened, depending on a random number, the virus shows a message box: 

    w97.LAM€ by LiFEwiRE [www.shadowvx.org]

with a title 

    ...::LiFEwiRE::...



After this it replaces the contents of the active document with the following string: 

    LiFEwiRE2000 - www.shadowvx.org

and saves it with a password "pietje". This means that the contents of all documents encrypted with this password are lost.

Doeii tries to hook ToolsMacro and ViewVBCode menus by inserting a comment to the text 

    "(c) LiFEwiRE 2000 "

and the address of the above VX site (already closed).

The virus code also contains the following commented lines: 

      '(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r
      't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!

[Analysis: Katrin Tocheva, F-Secure, August 2000]