Cybernet
Summary
F-Secure has not received direct reports of this virus from the field, but we have second-hand reports confirming limited in-the-wild sightings of this virus in Australia and Canada.
Removal
Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Cybernet is based on W97M/Pri.Q. The worm part of the virus is quite close to Melissa, as it is a macro virus which uses Outlook to spread to the first 50 addresses in the local address book. However, Cybernet infects Excel's XLS files as well as Word's DOC files.
Further information about W97M/Pri.Q is available at http://www.F-Secure.com/v-descs/pri.shtml
The virus creates an infected workbook to the Excel startup directory, "CyberNET.xls", to infect Excel.
In addition, the virus disables the macro virus warning from both Excel and Word.
The e-mail messages sent by Cybernet look like this:
From: name-of-the-infected-user To: random-name-from-address-book Subject: You've GOT Mail !!! Please, saved the document after you read and don't show to anyone else. The document is also VIRUS FREE...so DISREGARD the virus protection warning !!! Attachment: random infected DOC file
Cybernet will attempt to activate in August or December when it tries to format the hard drive.
The payload activates on 17th of August or 25th of December when it replaces c:\autoexec.bat with the text:
Vine...Vide...Vice...Moslem Power Never End...
I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!!
Brought To You From INDONESIA...
A command to format the C:\ drive is added to c:\autoexec.bat as well. It will be executed when the Windows 95/98 system restarts. Furthermore, the virus modifies the c:\config.sys file in a way that the execution of autoexec.bat cannot be bypassed with F5 or F8 keys.
On the activation dates the virus adds a random number of random shapes to the active document and shows this message:
Assalamualaikum Li Kulli Muslim...Moslem Power Never End... Nothing Can Stop << CyberNET >> Virus. Your System Has Already Infected !!! Now...I Am Outta Here...
Then the virus exits Windows. This will allow the virus to execute autoexec.bat which will try to format the C: drive.
When the payload activates in the Excel it adds a random number of comments to the active workbook. Otherwise the payload is the same as the payload in the Word part.
The virus code contains three additional comments:
W97M/CyberNET (C)2000 - Indonesia By AnomOke! I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!! anti-heuristic for stupid McAfee antivirus scanner anti-heuristic for stupid Norton antivirus scanner
O97M/Cybernet.A is slightly polymorphic; it changes it's code between infections.