Threat Description

Funky

Details

Aliases: Funky
Category: Malware
Type: Virus
Platform: W97M

Summary



W97M/Funky is a Word 97 macro virus with a destructive payload.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Funky.A

When an infected document is opened, W97M/Funky.A infects the global template and all documents created or opened thereafter.

While it infects, the virus checks if the "User's Template Path" from "Tools/Options". It this setting is empty, pointing to the default template diretory, the virus attempts to change the template directory to "C:\Temp". The directory is created if it does not exists. Next the virus creates a text file, "Tpath.txt" to the template directory.

Then the virus creates two temporary files to the template directory, called "funky1.bas" and "funky2.bas". These files are deleted after the infection.

W97M/Funky.A activates its payload every time when an infected document is opened after August 31th, 1999. Then the virus removes all AutoCorrect definitions and creates a directory for each AutoCorrect definition to the template directory. Then it shows a message box with the following text:

Hi <UserName>
        Sorry, did you say there are no more Autotext entires?
        Never mind, you should have enough information to replace it.
        Take a look at your Templates directory !!!

If the virus can not find any AutoCorrect definitions, it creates 1000 empty directories to the parent directory of the template directory.





Technical Details: Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More