IIS

Variant:IIS.I

This polymorphic macro virus variant drops an executable file infected with CIH virus.

When the virus is executed, it creates a file "C:\moody.dat". The virus uses this file as a counter. The virus adds to this file the following text:

Flitnic has enjoyed your system at: (date), (time)

every time when it executes.

When W97M/IIS.I virus has executed 100 times, i.e. the file "c:\moody.dat" contains 100 lines, it activates its payload.

First it changes the Word title to:

Now you're dead my son!

Then it will drop and execute a file "c:\killer.exe". This file is infected with a CIH 1035 virus variant. It however does not activate its payload.

Before the virus attempts to execute the dropped file, the macro virus displays a message box:

Do you know Flitnic? No? But now you will remember him!

 (variable) sure!

 He has asked CIH to crash your system!

To hide itself, the virus will launch another minimized Word. After this, it will remove itself from the current Word, both active document and global template, so the user can't see the virus code via "Tools/Macros/Visual Basic Editor" or "Tools/Macros/Macro" menus.

The virus keeps its code in "c:\f**k.txt" and uses it to import/export its code when it infects documents. The virus writer uses his nickname as a marker.

When the macro virus executes, it infects all existing documents with extension ".doc" on the "C:" drive. It creates an empty file, "C:\temp.dat" to check whenever the virus is running or not. W97M/IIS.I creates a list of the documents on the drive, and first attempts to rename the documents with extension ".temp". After that it renames back and infects them.

On that way the virus will try to infect files that are not Word for Windows documents. This will cause error messages.