Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


FF


Aliases:


FF

Malware
Virus
W97M

Summary

W97M/FF is a simple Word class infector.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:FF.AMacro.Word97.Lys.i

When an infected document is opened, W97M/FF.A deletes the "Tools/Macros" menu and disables the built-in macro virus protection first. Then the virus creates a temporary file, "C:\FF.sys", and infects the global template.

Afterwards every opened document is infected.

the virus activates its payload on the first day of every month. It alters the "c:\msdos.sys" file by changing the

  BootGUI=1

line to

  BootGUI=0

This causes Windows 95/98 to start in command line mode after boot, instead of graphical user interface (GUI).


Variant:FF.C

This variant is functionally identical with W97M/FF.A.





Technical Details: Sami Rautiainen, F-Secure



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free