Venus

Variant:Venus.A@mm

This virus first mass mails the active document to first 30 recipients from every address book. The mail is as follows:

Subject: VIRUS WARNING!!! From (UserName) Body: Somebody by the nickname of Lucky Warrior, is sending out a virus that could shut down your computer. DO NOT OPEN ANYTHING FROM HIM. I attached here the document that contains info & removing instruction about this very dangerous virus, just in case you encountered this. Please practice cautionary measures & forward this to all your on-line friends ASAP.

where the "(UserName)" is replaced with the name of an infected user.

Then the virus adds a mark to the registry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Office\Lucky Warrior Value: Do you know where Venus is?

When this mark is present, the virus will no longer mass mail itself.

Next the virus infects the global template. During infection it creates an temporary file, "c:\Venus.sys". It also changes the label of the "C:" drive to "Venus".

If the global template, "normal.dot" is a read-only or a system file, the virus creates an batch file, "msfile.bat" to the Windows starup directory. This batch file will attempts to delete the "normal.dot" when the system is restarted.

Finally W97M/Venus.A removes both "Tools/Macros" and "Tools/Templates and add-ins..." menus, and hooks the "Help/About" menu with a message box containing the following text:

Venus by Lucky Warrior

The virus activates its payload every time when an infected document is opened, closed, saved or printed.

At this time the virus replaces all occurences of word "of" with a word "Venus". It also alters the document summary as follows:

Author: Lucky Warrior Comment: Where is Venus?

Variant:Venus.B@mm

W97M/Venus.B slightly modified variant of W97M/Venus.A. When the virus infects the global template or active document, it changes the Word's title bar to:

Venus

and the Word user name to:

Lucky Warrior