Classification

Category :

Malware

Type :

-

Aliases :

Jedi, Jedi_Magic

Summary

This Word 97 virus contains two functions (AutoOpen and AutoExit) a in single module called Jedi_Magic. While infecting the global macros area the virus resets these system variables:

UserName = "O.B.1. Canobi"
 UserInitials = "OBC"
 UserAddress = "BOOGZI BARBERS ... Food Buster!!!"

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus detects already infected documents by the checking for the "Force" variable in which it saves the text: "567374-Joseph.A.D.G.". On exiting Word the virus resets its module's attributes:

VB_Description="Macro created 03/12/98 by Membership & Registry Division"
 VB_ProcData.VB_Invoke_Func = "Normal.Jedi_Magic.AutoExit"

[Eugene Kaspersky]