Threat Description

IIS

Details

Category: Malware
Type: Virus
Platform: W97M
Aliases: IIS, SuperIIS

Summary


This is a family of Word macro viruses and most of them are polymorphic.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details



Variant:IIS.I

This polymorphic macro virus variant drops an executable file infected with CIH virus.

When the virus is executed, it creates a file "C:\moody.dat". The virus uses this file as a counter. The virus adds to this file the following text:

  Flitnic has enjoyed your system at: (date), (time)  

every time when it executes.

When W97M/IIS.I virus has executed 100 times, i.e. the file "c:\moody.dat" contains 100 lines, it activates its payload.

First it changes the Word title to:

  Now you're dead my son!  

Then it will drop and execute a file "c:\killer.exe". This file is infected with a CIH 1035 virus variant. It however does not activate its payload.

Before the virus attempts to execute the dropped file, the macro virus displays a message box:

  Do you know Flitnic? No? But now you will remember him!     (variable) sure!     He has asked CIH to crash your system!  

To hide itself, the virus will launch another minimized Word. After this, it will remove itself from the current Word, both active document and global template, so the user can't see the virus code via "Tools/Macros/Visual Basic Editor" or "Tools/Macros/Macro" menus.

The virus keeps its code in "c:\f**k.txt" and uses it to import/export its code when it infects documents. The virus writer uses his nickname as a marker.

When the macro virus executes, it infects all existing documents with extension ".doc" on the "C:" drive. It creates an empty file, "C:\temp.dat" to check whenever the virus is running or not. W97M/IIS.I creates a list of the documents on the drive, and first attempts to rename the documents with extension ".temp". After that it renames back and infects them.

On that way the virus will try to infect files that are not Word for Windows documents. This will cause error messages.





Technical Details:Katrin Tocheva, Sami Rautiainen and Peter Szor, F-Secure 1999


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More