Classification

Category: Malware

Type: Virus

Platform: W97M

Aliases: Pri, PSD, Pri.A

Summary


W97M/Pri is a polymorphic Word 97 macro virus.

It activates when an infected document is opened. At this point it will check whether the global template is already infected or not. If it is not, the virus copies itself and modifies itself during this process.

When the virus has infected the global tempate, it infects all documents when they are closed. Also, the "Tools/Macros/Visual Basic Editor" menu is hooked which renders it in unusable state.

When the virus infects documents or the global template, it checks if the hour of the current time and minutes are the same. If the check passes, the payload will be create ten random shapes of random colors to the current document.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details



Variant:Pri.B

This variant is very similar to W97M/Pri.A with only a few differences.

This variant adds a code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit immediately without saving any changes.

The other difference is that the payload will create a random number of shapes instead of ten when activated.


Variant:Pri.Q (Prilissa, Melissa.W, Melissa.AG, W97M.Antisocial.G)

This variant contains a mass mailing part stolen from W97M/Melissa and a destructive payload.

Futher information about W97M/Melissa is available at: https://www.F-Secure.com/v-descs/melissa.shtml

The payload activates on 25th December. At that time the virus overwrites first "C:\Autoexec.bat" with a code that will format the "C:" drive immediately after the system has been restarted. However, this payload does not work in Windows NT. "Autoexec.bat" contains the following text, also:

Vine...Vide...Vice...Moslem Power Never End...

 Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!

When the virus has overwritten "C:\Autoexec.bat" it shows a message box with the following text:

Vine...Vide...Vice...Moslem Power Never End...

 You Dare Rise Against Me...The Human Era is Over, The CyberNET

 Era Has Come !!!

After that the virus adds a random number of shapes to the active document. These shapes are filled with a random color.

The virus mass mails itself to the first 50 recipients listed in each address book. The message that it sends looks like this:

Subject:

Message From (User Name)

 Body: This document is very Important

 and you've GOT to read this !!!

Where "(User Name)" is replaced with the name of the infected user. The message contains a copy of the infected active document, too.

Then the virus changes the registry to mark that the mass mailing has been done. The key

HKEY_CURRENT_USER\Software\Microsoft\Office\CyberNET

is set to value:

(C)1999 - Indonesia by AnomOke!

Once it has mass mailed itself, the virus replicates when a document is opened or closed.

The virus disables the built-in virus protection and hides the last recently opened files in the "File" menu. It also hooks both "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus.