W97M/Mutalisk.A is a MS Word 97 polymorphic macro virus. The polymorphism consist of modifying the commented lines.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Every time when infect documents the virus beep and shows its code by running the VBA Editor. At the same time it tries to be stealth by deleting the virus code when the user starts the VB Editor. After that it rebuilds itself. In addition it saves the active document as c:\ReadMe.doc.
One of the virus payload is that every time when an infected file is opened or a new is created it will try to delete Anti-Virus products installed on the users computer.
The other payload of W97M/Mutalisk.A uses mIRC chat application if it is installed. It will try to overwrite the script.ini file with its own. At the same time it saves the active infected document as c:\mirc\backup\Y2K.doc. Next time when mIRC is used it will try to send out this infected document.
Mutalisk.A also hooks Tools/Macro and File/Templates menus.
This variant is similar to W97M/Mutalisk.A except that it doesn't save the active document as c:\ReadMe.doc when the user open VB Editor.
Technical Details:Katrin Tocheva and Sami Rautiainen F-Secure Ltd