The virus consists of a single VBA5 module named "a". The module
contains 4 subroutines with identical contents - AutoOpen, AutoClose,
AutoNew and AutoExec. Therefore, the virus receives control each time
a document is opened, closed, created, or when Word is started.
When it receives control, the first thing the virus does is to examine
all add-ins (accessible via Tools/Templates and Add-Ins of Word 97's
menus) and unload all of those, whose name is not Autoexec.dot. The
virus then changes the path of Word's Startup folder (accessible via
Tools/Options/File Locations of the menus of Word 97) to C:\. Then it
turns off the built-in macro virus protection of Word 97.
If the virus is running from a document containing the word "Autoexec"
anywhere in its name, the virus checks whether any of the opened
documents or the global template is infected. (This is determined by
checking for the presence of a module named "a".) If neither of them
is, the virus opens the document C:\Autoexec.dot (in a way which
prevents it from appearing on the list of Most Recently Used files on
Word's menu) and copies itself from that document to all opened
documents and templates, the VBA projects in which are not protected.
The virus then checks whether a file named "Autoexec.dot" is present
in the root directory of drive C:. If it is not, a new template is
created, it is infected, and is saved in a file with this name. Again,
the virus takes care to prevent the name of this file from appearing
on the MRU list.
The next action of the virus is to inspect all opened documents
(except the one it is running from) and templates. If their VBA
projects are not protected, it looks there for modules named AutoOpen,
AutoClose, AutoNew and FileSave and removes them. This might be a
measure against another, competing virus, or against some unknown
anti-virus product. The virus then proceeds to infect these documents
Next, the virus performs some key and menu redirections. The key
shortcuts Alt-F8 (default for Tools/Macro/Macros) and Alt-F11 (default
for Tools/Macro/Visual Basic Editor) are redirected to perform
File/Save As (both of them). Instead, Alt-F1 and Alt-F2 are set to
perform their actions (start the ToolsMacro dialog and VBA Editor
respectively) - a kind of "backdoor", so that the virus author (and
those "in-the-know") could still use them.
The virus also rebinds the Tools/Customize, Tools/Options,
Tools/Templates and Add-Ins, Tools/Macro/Macros and Tools/Macro/Visual
Basic Editor menu items to execute its AutoClose subroutine. However,
the virus accesses these menu items by name - and it uses the Chinese
names for them - so, this rebinding will be successful only under the
Chinese language version of Word 97. Finally, the virus rebinds all
items on the "Visual Basic" command bar to its AutoClose subroutine
and proceeds to save all opened documents.
The payload of the virus activates when the system date indicates the
the current month is July. If this is the case, the virus displays an
input message box, asking the user something in Chinese. I can't read
Chinese, so I don't know what the message says. If the user accepts
the proposed default answer (also in Chinese) by clicking on the OK
button, the virus displays the message (this time in broken English)
"You are wise,please choose this later again,critically!" and exits.
If the user presses the Cancel button (or enters anything but the
default response), the virus keeps asking the same question two more
times. Then it "loses patience", displays the message
Stop it!you are so incurable to lose 3 chances!
Now,god will punish you...
and modifies the user's C:\AUTOEXEC.BAT file, appending to it the line
Usually this means that on the next reboot all files on drive C: will
Finally, the virus searches all running tasks for one containing the
string "Visual Basic" in its name (usually - the VBA Editor) and hides
it - obviously, in an attempt to prevent the user from debugging it.
In general, we do not think that this virus presents any serious
threat - and it certainly does not deserve the media attention it has
received. It is simply just yet another boring, stupid, badly written
virus, created by somebody with more time on his hands than brain in
his head. It is slow and obvious and has no significant chances of
surviving in the wild. Of course, our anti-virus products have been
updated to recognize, identify and disinfect the virus (they already
could detect it with our macro virus heuristics). The virus has been
given undeserved attention by the media. Such scare tactics are, at
best, a questionable practice of some anti-virus producers to get
public exposure. In the long run, it harms both the anti-virus
industry and the users and only serves to boost the virus writer's ego
[Dr. Vesselin Bontchev, FRISK Software International]