Category :


Type :


Platform :


Aliases :



This is a family of Word macro viruses and most of them are polymorphic.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details


This polymorphic macro virus variant drops an executable file infected with CIH virus.

When the virus is executed, it creates a file "C:\moody.dat". The virus uses this file as a counter. The virus adds to this file the following text:

Flitnic has enjoyed your system at: (date), (time)

every time when it executes.

When W97M/IIS.I virus has executed 100 times, i.e. the file "c:\moody.dat" contains 100 lines, it activates its payload.

First it changes the Word title to:

Now you're dead my son!

Then it will drop and execute a file "c:\killer.exe". This file is infected with a CIH 1035 virus variant. It however does not activate its payload.

Before the virus attempts to execute the dropped file, the macro virus displays a message box:

Do you know Flitnic? No? But now you will remember him!

 (variable) sure!

 He has asked CIH to crash your system!

To hide itself, the virus will launch another minimized Word. After this, it will remove itself from the current Word, both active document and global template, so the user can't see the virus code via "Tools/Macros/Visual Basic Editor" or "Tools/Macros/Macro" menus.

The virus keeps its code in "c:\f**k.txt" and uses it to import/export its code when it infects documents. The virus writer uses his nickname as a marker.

When the macro virus executes, it infects all existing documents with extension ".doc" on the "C:" drive. It creates an empty file, "C:\temp.dat" to check whenever the virus is running or not. W97M/IIS.I creates a list of the documents on the drive, and first attempts to rename the documents with extension ".temp". After that it renames back and infects them.

On that way the virus will try to infect files that are not Word for Windows documents. This will cause error messages.