W97M/Funky is a Word 97 macro virus with a destructive payload.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
When an infected document is opened, W97M/Funky.A infects the global template and all documents created or opened thereafter.
While it infects, the virus checks if the "User's Template Path" from "Tools/Options". It this setting is empty, pointing to the default template diretory, the virus attempts to change the template directory to "C:\Temp". The directory is created if it does not exists. Next the virus creates a text file, "Tpath.txt" to the template directory.
Then the virus creates two temporary files to the template directory, called "funky1.bas" and "funky2.bas". These files are deleted after the infection.
W97M/Funky.A activates its payload every time when an infected document is opened after August 31th, 1999. Then the virus removes all AutoCorrect definitions and creates a directory for each AutoCorrect definition to the template directory. Then it shows a message box with the following text:
Hi <UserName> Sorry, did you say there are no more Autotext entires? Never mind, you should have enough information to replace it. Take a look at your Templates directory !!!
If the virus can not find any AutoCorrect definitions, it creates 1000 empty directories to the parent directory of the template directory.
Technical Details: Sami Rautiainen, F-Secure