Threat description




W97M/Pri is a polymorphic Word 97 macro virus.

It activates when an infected document is opened. At this point it will check whether the global template is already infected or not. If it is not, the virus copies itself and modifies itself during this process.

When the virus has infected the global tempate, it infects all documents when they are closed. Also, the "Tools/Macros/Visual Basic Editor" menu is hooked which renders it in unusable state.

When the virus infects documents or the global template, it checks if the hour of the current time and minutes are the same. If the check passes, the payload will be create ten random shapes of random colors to the current document.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


This variant is very similar to W97M/Pri.A with only a few differences.

This variant adds a code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit immediately without saving any changes.

The other difference is that the payload will create a random number of shapes instead of ten when activated.

Variant:Pri.Q (Prilissa, Melissa.W, Melissa.AG, W97M.Antisocial.G)

This variant contains a mass mailing part stolen from W97M/Melissa and a destructive payload.

Futher information about W97M/Melissa is available at:

The payload activates on 25th December. At that time the virus overwrites first "C:\Autoexec.bat" with a code that will format the "C:" drive immediately after the system has been restarted. However, this payload does not work in Windows NT. "Autoexec.bat" contains the following text, also:

Vine...Vide...Vice...Moslem Power Never End...

 Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!

When the virus has overwritten "C:\Autoexec.bat" it shows a message box with the following text:

Vine...Vide...Vice...Moslem Power Never End...

 You Dare Rise Against Me...The Human Era is Over, The CyberNET

 Era Has Come !!!

After that the virus adds a random number of shapes to the active document. These shapes are filled with a random color.

The virus mass mails itself to the first 50 recipients listed in each address book. The message that it sends looks like this:


Message From (User Name)


 This document is very Important

 and you've GOT to read this !!!

Where "(User Name)" is replaced with the name of the infected user. The message contains a copy of the infected active document, too.

Then the virus changes the registry to mark that the mass mailing has been done. The key


is set to value:

(C)1999 - Indonesia by AnomOke!

Once it has mass mailed itself, the virus replicates when a document is opened or closed.

The virus disables the built-in virus protection and hides the last recently opened files in the "File" menu. It also hooks both "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info