Threat description


Category: Malware
Type: Virus
Platform: W97M


W97M/Venus is a Word 97 macro virus with a mass mailing ability.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


This virus first mass mails the active document to first 30 recipients from every address book. The mail is as follows:

  Subject: VIRUS WARNING!!! From (UserName)     Body:    Somebody by the nickname of Lucky Warrior, is sending  out a virus that could shut down your computer.  DO NOT  OPEN ANYTHING FROM HIM. I attached here the document that  contains info & removing instruction about this very  dangerous virus, just in case you encountered this.  Please practice cautionary measures & forward this to all  your on-line friends ASAP. 			  

where the "(UserName)" is replaced with the name of an infected user.

Then the virus adds a mark to the registry:

  Key:    HKEY_CURRENT_USER\Software\Microsoft\Office\Lucky Warrior     Value:  Do you know where Venus is? 	  

When this mark is present, the virus will no longer mass mail itself.

Next the virus infects the global template. During infection it creates an temporary file, "c:\Venus.sys". It also changes the label of the "C:" drive to "Venus".

If the global template, "" is a read-only or a system file, the virus creates an batch file, "msfile.bat" to the Windows starup directory. This batch file will attempts to delete the "" when the system is restarted.

Finally W97M/Venus.A removes both "Tools/Macros" and "Tools/Templates and add-ins..." menus, and hooks the "Help/About" menu with a message box containing the following text:

  Venus by Lucky Warrior 	  

The virus activates its payload every time when an infected document is opened, closed, saved or printed.

At this time the virus replaces all occurences of word "of" with a word "Venus". It also alters the document summary as follows:

  Author:  Lucky Warrior     Comment: Where is Venus?  


W97M/Venus.B slightly modified variant of W97M/Venus.A. When the virus infects the global template or active document, it changes the Word's title bar to:


and the Word user name to:

  Lucky Warrior 	  

Description Details: Analysis: Sami Rautiainen, F-Secure


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More