Summary

The W97M/JulyKiller.A is a rather unremarkable macro virus for Word 97. The virus is obviously of Far Eastern origin - probably Chinese. It is a native W97M virus but, like many other such Chinese viruses, most of it is upconverted WordBasic code - obviously its author was not familiar with Visual Basic for Applications - the programming language of Office 97 applications.

Additional Details

The virus consists of a single VBA5 module named "a". The module contains 4 subroutines with identical contents - AutoOpen, AutoClose, AutoNew and AutoExec. Therefore, the virus receives control each time a document is opened, closed, created, or when Word is started.

When it receives control, the first thing the virus does is to examine all add-ins (accessible via Tools/Templates and Add-Ins of Word 97's menus) and unload all of those, whose name is not Autoexec.dot. The virus then changes the path of Word's Startup folder (accessible via Tools/Options/File Locations of the menus of Word 97) to C:\. Then it turns off the built-in macro virus protection of Word 97.

If the virus is running from a document containing the word "Autoexec" anywhere in its name, the virus checks whether any of the opened documents or the global template is infected. (This is determined by checking for the presence of a module named "a".) If neither of them is, the virus opens the document C:\Autoexec.dot (in a way which prevents it from appearing on the list of Most Recently Used files on Word's menu) and copies itself from that document to all opened documents and templates, the VBA projects in which are not protected.

The virus then checks whether a file named "Autoexec.dot" is present in the root directory of drive C:. If it is not, a new template is created, it is infected, and is saved in a file with this name. Again, the virus takes care to prevent the name of this file from appearing on the MRU list.

The next action of the virus is to inspect all opened documents (except the one it is running from) and templates. If their VBA projects are not protected, it looks there for modules named AutoOpen, AutoClose, AutoNew and FileSave and removes them. This might be a measure against another, competing virus, or against some unknown anti-virus product. The virus then proceeds to infect these documents and templates.

Next, the virus performs some key and menu redirections. The key shortcuts Alt-F8 (default for Tools/Macro/Macros) and Alt-F11 (default for Tools/Macro/Visual Basic Editor) are redirected to perform File/Save As (both of them). Instead, Alt-F1 and Alt-F2 are set to perform their actions (start the ToolsMacro dialog and VBA Editor respectively) - a kind of "backdoor", so that the virus author (and those "in-the-know") could still use them.

The virus also rebinds the Tools/Customize, Tools/Options, Tools/Templates and Add-Ins, Tools/Macro/Macros and Tools/Macro/Visual Basic Editor menu items to execute its AutoClose subroutine. However, the virus accesses these menu items by name - and it uses the Chinese names for them - so, this rebinding will be successful only under the Chinese language version of Word 97. Finally, the virus rebinds all items on the "Visual Basic" command bar to its AutoClose subroutine and proceeds to save all opened documents.

The payload of the virus activates when the system date indicates the the current month is July. If this is the case, the virus displays an input message box, asking the user something in Chinese. I can't read Chinese, so I don't know what the message says. If the user accepts the proposed default answer (also in Chinese) by clicking on the OK button, the virus displays the message (this time in broken English) "You are wise,please choose this later again,critically!" and exits.

If the user presses the Cancel button (or enters anything but the default response), the virus keeps asking the same question two more times. Then it "loses patience", displays the message

	Stop it!you are so incurable to lose 3 chances!
	Now,god will punish you...

and modifies the user's C:\AUTOEXEC.BAT file, appending to it the line

	deltree/y c:\

Usually this means that on the next reboot all files on drive C: will be removed.

Finally, the virus searches all running tasks for one containing the string "Visual Basic" in its name (usually - the VBA Editor) and hides it - obviously, in an attempt to prevent the user from debugging it.

In general, we do not think that this virus presents any serious threat - and it certainly does not deserve the media attention it has received. It is simply just yet another boring, stupid, badly written virus, created by somebody with more time on his hands than brain in his head. It is slow and obvious and has no significant chances of surviving in the wild. Of course, our anti-virus products have been updated to recognize, identify and disinfect the virus (they already could detect it with our macro virus heuristics). The virus has been given undeserved attention by the media. Such scare tactics are, at best, a questionable practice of some anti-virus producers to get public exposure. In the long run, it harms both the anti-virus industry and the users and only serves to boost the virus writer's ego unnecessarily.

[Dr. Vesselin Bontchev, FRISK Software International]