IIS

Classification

Malware

Virus

W97M

IIS, SuperIIS

Summary

This is a family of Word macro viruses and most of them are polymorphic.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Variant:IIS.I

This polymorphic macro virus variant drops an executable file infected with CIH virus.

When the virus is executed, it creates a file "C:\moody.dat". The virus uses this file as a counter. The virus adds to this file the following text:

Flitnic has enjoyed your system at: (date), (time)

every time when it executes.

When W97M/IIS.I virus has executed 100 times, i.e. the file "c:\moody.dat" contains 100 lines, it activates its payload.

First it changes the Word title to:

Now you're dead my son!

Then it will drop and execute a file "c:\killer.exe". This file is infected with a CIH 1035 virus variant. It however does not activate its payload.

Before the virus attempts to execute the dropped file, the macro virus displays a message box:

Do you know Flitnic? No? But now you will remember him!

 (variable) sure!

 He has asked CIH to crash your system!

To hide itself, the virus will launch another minimized Word. After this, it will remove itself from the current Word, both active document and global template, so the user can't see the virus code via "Tools/Macros/Visual Basic Editor" or "Tools/Macros/Macro" menus.

The virus keeps its code in "c:\f**k.txt" and uses it to import/export its code when it infects documents. The virus writer uses his nickname as a marker.

When the macro virus executes, it infects all existing documents with extension ".doc" on the "C:" drive. It creates an empty file, "C:\temp.dat" to check whenever the virus is running or not. W97M/IIS.I creates a list of the documents on the drive, and first attempts to rename the documents with extension ".temp". After that it renames back and infects them.

On that way the virus will try to infect files that are not Word for Windows documents. This will cause error messages.

Date Created: -

Date Last Modified: -