Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Funky

Summary

W97M/Funky is a Word 97 macro virus with a destructive payload.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Funky.A

When an infected document is opened, W97M/Funky.A infects the global template and all documents created or opened thereafter.

While it infects, the virus checks if the "User's Template Path" from "Tools/Options". It this setting is empty, pointing to the default template diretory, the virus attempts to change the template directory to "C:\Temp". The directory is created if it does not exists. Next the virus creates a text file, "Tpath.txt" to the template directory.

Then the virus creates two temporary files to the template directory, called "funky1.bas" and "funky2.bas". These files are deleted after the infection.

W97M/Funky.A activates its payload every time when an infected document is opened after August 31th, 1999. Then the virus removes all AutoCorrect definitions and creates a directory for each AutoCorrect definition to the template directory. Then it shows a message box with the following text:

Hi          Sorry, did you say there are no more Autotext entires?         Never mind, you should have enough information to replace it.         Take a look at your Templates directory !!!  

If the virus can not find any AutoCorrect definitions, it creates 1000 empty directories to the parent directory of the template directory.