Summary
W97M/Funky is a Word 97 macro virus with a destructive payload.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Technical Details
Variant:Funky.A
When an infected document is opened, W97M/Funky.A infects the global template and all documents created or opened thereafter.
While it infects, the virus checks if the "User's Template Path" from "Tools/Options". It this setting is empty, pointing to the default template diretory, the virus attempts to change the template directory to "C:\Temp". The directory is created if it does not exists. Next the virus creates a text file, "Tpath.txt" to the template directory.
Then the virus creates two temporary files to the template directory, called "funky1.bas" and "funky2.bas". These files are deleted after the infection.
W97M/Funky.A activates its payload every time when an infected document is opened after August 31th, 1999. Then the virus removes all AutoCorrect definitions and creates a directory for each AutoCorrect definition to the template directory. Then it shows a message box with the following text:
Hi <UserName>
Sorry, did you say there are no more Autotext entires?
Never mind, you should have enough information to replace it.
Take a look at your Templates directory !!!
If the virus can not find any AutoCorrect definitions, it creates 1000 empty directories to the parent directory of the template directory.
Technical Details: Sami Rautiainen, F-Secure
Submit a sample
Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)
F-Secure Community
Give advice. Get advice. Share the knowledge on our free discussion forum.