Threat description




This is a family of Word macro viruses and most of them are polymorphic.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


This polymorphic macro virus variant drops an executable file infected with CIH virus.

When the virus is executed, it creates a file "C:\moody.dat". The virus uses this file as a counter. The virus adds to this file the following text:

Flitnic has enjoyed your system at: (date), (time)

every time when it executes.

When W97M/IIS.I virus has executed 100 times, i.e. the file "c:\moody.dat" contains 100 lines, it activates its payload.

First it changes the Word title to:

Now you're dead my son!

Then it will drop and execute a file "c:\killer.exe". This file is infected with a CIH 1035 virus variant. It however does not activate its payload.

Before the virus attempts to execute the dropped file, the macro virus displays a message box:

Do you know Flitnic? No? But now you will remember him!

 (variable) sure!

 He has asked CIH to crash your system!

To hide itself, the virus will launch another minimized Word. After this, it will remove itself from the current Word, both active document and global template, so the user can't see the virus code via "Tools/Macros/Visual Basic Editor" or "Tools/Macros/Macro" menus.

The virus keeps its code in "c:\f**k.txt" and uses it to import/export its code when it infects documents. The virus writer uses his nickname as a marker.

When the macro virus executes, it infects all existing documents with extension ".doc" on the "C:" drive. It creates an empty file, "C:\temp.dat" to check whenever the virus is running or not. W97M/IIS.I creates a list of the documents on the drive, and first attempts to rename the documents with extension ".temp". After that it renames back and infects them.

On that way the virus will try to infect files that are not Word for Windows documents. This will cause error messages.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info