Cybernet

Classification

Malware

Virus

W97M

Cybernet, O97M/Cybernet, Macro.Office.Cybernet

Summary

F-Secure has not received direct reports of this virus from the field, but we have second-hand reports confirming limited in-the-wild sightings of this virus in Australia and Canada.

Removal

Automatic action

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it to F-Secure Labs for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Cybernet is based on W97M/Pri.Q. The worm part of the virus is quite close to Melissa, as it is a macro virus which uses Outlook to spread to the first 50 addresses in the local address book. However, Cybernet infects Excel's XLS files as well as Word's DOC files.

Further information about W97M/Pri.Q is available at http://www.F-Secure.com/v-descs/pri.shtml

The virus creates an infected workbook to the Excel startup directory, "CyberNET.xls", to infect Excel.

In addition, the virus disables the macro virus warning from both Excel and Word.

The e-mail messages sent by Cybernet look like this:

From: name-of-the-infected-user
  To: random-name-from-address-book
  Subject: You've GOT Mail !!!
 Please, saved the document after you read and don't show to
  anyone else. The document is also VIRUS FREE...so DISREGARD the
  virus protection warning !!!
 Attachment: random infected DOC file

Cybernet will attempt to activate in August or December when it tries to format the hard drive.

The payload activates on 17th of August or 25th of December when it replaces c:\autoexec.bat with the text:

Vine...Vide...Vice...Moslem Power Never End...
 I'm Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!!
          Brought To You From INDONESIA...

A command to format the C:\ drive is added to c:\autoexec.bat as well. It will be executed when the Windows 95/98 system restarts. Furthermore, the virus modifies the c:\config.sys file in a way that the execution of autoexec.bat cannot be bypassed with F5 or F8 keys.

On the activation dates the virus adds a random number of random shapes to the active document and shows this message:

Assalamualaikum Li Kulli Muslim...Moslem Power Never End...
  Nothing Can Stop << CyberNET >> Virus. Your System Has Already Infected !!!
  Now...I Am Outta Here...

Then the virus exits Windows. This will allow the virus to execute autoexec.bat which will try to format the C: drive.

When the payload activates in the Excel it adds a random number of comments to the active workbook. Otherwise the payload is the same as the payload in the Word part.

The virus code contains three additional comments:

W97M/CyberNET (C)2000 - Indonesia By AnomOke!
  I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!!
 anti-heuristic for stupid McAfee antivirus scanner
 anti-heuristic for stupid Norton antivirus scanner

O97M/Cybernet.A is slightly polymorphic; it changes it's code between infections.

Date Created: -

Date Last Modified: -