When an infected document is closed, W97M/Lys.A creates three files to
the "C:\WINDOWS\SYSTEM" directory.
The first two files, "Jamie.dll" and "Jamie.sys", are used by the
virus to replicate.
The third file, "Jamie.vbs", is a Visual Basic script file. The virus
modifies the registry in a such way, that this script will be executed
when the system is restared. The script launches an hidden copy of
Word, and infects the global template.
After the global template has been infected, the virus infects all
opened documents.
The virus uses different methods to infect depending whenever it is
infecting global template or a document.
W97M/Lys.D is a modified variant of W97M/Lys.D. The names of the files
that the virus creates has been changed as follows: "Daydream.sys",
"Daydream.dll" and "Daydream.vbs". The directory where these files are
created remains the same, "C:\Windows\System".
Additionally this variant contains an payload. Every 15th day of each
month, the virus attempts to modify a single line from "C:\MSDOS.SYS"
file:
BootGUI=0
In the normal installation of Windows 98, this line should read:
BootGUI=1
The modification causes that the Windows 95 or 98 will boot to command
line instead of GUI.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
![](/images/pixel.gif"){kind=tracking}
