Threat description




P97M/Attach is the first PowerPoint 97 macro virus. It was found in December 1998. It has several design flaws which make it extremely unlikely to spread.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Attach is a direct-action infector, infecting all *.PPT files in the "C:\My Documents" folder, provided that their name doesn't start with a "~" (i.e., are not currently opened) and is not the same as the name of the presentation from which the virus is running.

In order to be infected, the presentation must contain user forms. All user forms of the presentation will be infected, with the virus inserting its code in front of the code already in the user form. (Most user forms contain at least some code already, since it doesn't make much sense to create an empty user form which does not respond to any events like button clicks, etc.).

The virus replicates only when the user terminates the form by clicking at the [x] button in the upper right corner of the form's window.

PP97M/Attach is not known to be in the wild, and is not likely to be, ever.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info