Threat Description

VMPCK1

Details

Aliases:VMPCK1, VMPC-based
Category:Malware
Type:Virus
Platform:W97M

Summary



This is a family of Word viruses generated with a macro virus construction kit.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:VMPCK1.E

Cartman, Poppy, Kenny

Cartman is a Word 97 macro virus similar to Blee.B. This virus appeared in the beginning of January, 1998. The virus makes several references to the TV comic series "South Park" and its character "Kenny".

Like Blee.B, this virus changes the document Summary Info, but the information inside is different:

  Author = "VicodinES"
 Title = "Another W97M/Cartman.Poppy Infected Document"
 Subject = "Macro Virus Infection by The Narkotic Network"
 Comments = "Hello from VicodinES and The Narkotic Network
 ...we mean you no harm"
 Keywords = " | VicodinES | Klonopin.Jones | Fastin.Blee | "

The virus contains the following text, which it never displays:

  W97M/Cartman.Poppy
 By VicodinES (The Kyle of The Virus Underground)
 Macro Virus for Word 97
 "The Fat-a** Macro97 Engine v2.3 featuring Starvin'
 Marvin Technology"

Cartman creates the msfile.bat file, executes it and then deletes it. If the global template is write-protected, msfile.bat tries to delete all files from c:\progra~1\micros~1\templa~1 and from c:\progra~1\micros~2\templa~1 directories.

Any attempt to open either Tools/Macro or Tools/Templates menu will destroy all information in the active document. In this case, Cartman displays a dialog box prompting to save the file and then it tries to connect to the Yahoo web site searching for:

http://www.yahoo.com/News_and_Media/Television/Shows/Cartoons/South_Park/

Finally Cartman displays a message box with the following text:

The Narkotic Network

  You Killed Kenny, You Bastard!

  OK

After this, the virus exits Word.

If there are no documents currently open in Word, the virus does not attempt to connect to Yahoo. It will only display the same message box.


Variant:VMPCK1.I

Edds

W97M/VMPCK1.I gets control when an infected document is opened. At this point it disables the built-in macro virus protection and infects the global template.

After that every document opened in Word will be infected.

This virus has a destructive payload that activates on every Thursday. On that day, it replaces "c:\autoexec.bat" with the following text file:

  This should be your Autoexec.bat file
 But now, I'm afraid, it's just a text file
 That will teach you to feed me with fish
 STOP ALL NUCLEAR TESTING IN THE THIRD WORLD

When an infected document is saved with "File/Save As" there is a 1/3 chance that the virus displays an input box with the following text:

  Hello! I'm Food.Eddshead, and I am hungry! If you want to
 continual using Word you must feed me. Be careful, some foods make
 me ill, and you don't want to make me angry - do you?

This dialog can be passed with a pass phrase "chips". However, phrases "fish", "sausages", "beef burgers" and "ham burgers" will cause the payload to activate at once.

When Word is closed, the virus attempts to infect all documents with extension ".doc" from the current directory.


Variant:VMPCK1.BG

W97M/VMPCK1.BG is a macro virus that activates when an infected document is opened.

When it gets control, it disables the built in macro virus protection and the following menu selections: "Tools/Macro", "Tools/Templates & Add-Ins...", "Tools/Customize", "View/Toolbars" and "Edit/Select All".

Then it infects the global template. After that it will infect every document that is created, opened, closed or saved. It also hooks "Tools/AutoCorrect" and "Tools/Options" menus to avoid detection.

This virus has a payload that activates when the minutes of the system time are more than 54 or less than 6. When this happens, the virus switches the setting "Tools/Options/General/Blue background, white text" on and adds a number of AutoCorrect entries in different colors.


Variant:VMPCK1.BR

W97M/VMPCK1.BR is a slightly modified variant of W97M/VMPCK1.BG.


Variant:VMPCK1.BU

W97M/VMPCK1.BU is a slightly modified variant of W97M/VMPCK1.I.


Variant:VMPCK1.BY

When an infected document is opened, W97M/VMPCK1.BY creates a temporary file "C:\XIX.DRV" and infects the global template. After that it infects every document that is opened.

The virus makes the following modifications to the document summary information:

  Author:"VOTA NAO A REGIONALIZACAO! SIM AO REFORCO DO MUNICIPALISMO!"
 Subject:  "JOAO JARDIM x8?! PORRA! DIA 8 VOTA NAO!"
 Comments: "A REGIONALIZACAO E UM ERRO COLOSSAL!"

Furthermore, it hooks "Tools\Macros\Macro", "Tools\Macros\Visual Basic Editor" and "File\Templates" menu selections making them unusable. When the virus infects or when the user attempts to access one of the menus mentioned above, there is a 1:100 chance that the virus displays a message box with the following text:

  Dia 8 de Novembro VOTA NAO a regionalizacao!

W97M/VMPCK1.BY hooks the "Help/About" menu as well, replacing the About dialog with a message box:

  Joao Jardim x8?! Porra! Dia 8 Vota NAO!

On every 8th day of each month the virus activates its payload. The payload searches for the text:

  sim

and replaces it with the following text:

  nao a regionalizacao!

Then the virus removes "Edit/Undo", "Edit/Repeat Replace..." and "Edit/Replace..." menu selections and saves the active document.


Variant:VMPCK1.DD

W97M/VMPCK1.DD is similar to W97M/VMPCK1.BY.

This variant replaces the "Help/About" dialog with a message box that contains the following text:

  CAPut!  by --=|| N|c0t|N ||=-- (c) 1998

It also hooks "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus with a message box:

  Word Basic Err = 7

W97M/VMPCK1.DD activates its payload at random times. When the payload activates, the virus replaces all occurences of "19" in the active document with a text "CAPut!'".

The virus also replaces the comment from the document summary with a text:

  JU$t bEEn CAPuted!





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More