W97M/Mutalisk.A is a MS Word 97 polymorphic macro virus. The polymorphism consist of modifying the commented lines.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Every time when infect documents the virus beep and shows its code by running the VBA Editor. At the same time it tries to be stealth by deleting the virus code when the user starts the VB Editor. After that it rebuilds itself. In addition it saves the active document as c:\ReadMe.doc.
One of the virus payload is that every time when an infected file is opened or a new is created it will try to delete Anti-Virus products installed on the users computer.
The other payload of W97M/Mutalisk.A uses mIRC chat application if it is installed. It will try to overwrite the script.ini file with its own. At the same time it saves the active infected document as c:\mirc\backup\Y2K.doc. Next time when mIRC is used it will try to send out this infected document.
Mutalisk.A also hooks Tools/Macro and File/Templates menus.
This variant is similar to W97M/Mutalisk.A except that it doesn't save the active document as c:\ReadMe.doc when the user open VB Editor.
Technical Details:Katrin Tocheva and Sami Rautiainen F-Secure Ltd