W97M/Osm.A is a companion macro virus discovered at the end of May
1999. It doesn't infect "Normal.dot" or documents. This macro virus
replicates attaching a template "Default.dot" in the documents. This
template is a separate file that contains the macro virus code.
When an infected document is opened, the virus attempts to copy the
"Default.dot" file from the active document's directory to the Word's
startup directory with the name "Startup.dot". This way the macro
virus code executes every time when Word is opened. Once installed the
virus replicates by copying the "Startup.dot" as "Default.dot" to the
active document's directory, and attaching this template to the
document during the save operation.
The virus will not spread further on another computer if the
"Default.dot" template is deleted and the user opens the document.
W97M/Osm.A virus hides the "Tools/Macro" dialog by creating its own
dialog box similar to the original one. Any attempt to change or
create a macro fails and the virus shows a message box:
You do not have permission to create macros on this computer.
The virus code is invisible via "Tools/Macro/Visual Basic Editor",
because the template project is originally password protected.
Additionally the attached template contains a hidden embedded
executable file "A:\osm32.EXE" that contains a dropper of Back Orifice
trojan which is infected twice with W95/Marburg.8582 virus. The macro
virus executes this embedded file by activating it, using Visual Basic
command.
Since the embedding of the executable file contains the reference to
drive "A:", the virus may cause an error when the macro virus is
executed from another drive or directory. However, this doesn't stop
the macro virus to replicate and to execute the infected embedded
executable file.
As a result of all these attached and embedded virus codes, the macro
virus will cause infection with tree different viruses/trojans.
[Analysis: Katrin Tocheva, Sami Rautiainen and Peter Szor, F-Secure 1999]
![](/images/pixel.gif"){kind=tracking}
