This is a family of Word viruses generated with a macro virus construction kit.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Cartman, Poppy, Kenny
Cartman is a Word 97 macro virus similar to Blee.B. This virus appeared in the beginning of January, 1998. The virus makes several references to the TV comic series "South Park" and its character "Kenny".
Like Blee.B, this virus changes the document Summary Info, but the information inside is different:
Author = "VicodinES" Title = "Another W97M/Cartman.Poppy Infected Document" Subject = "Macro Virus Infection by The Narkotic Network" Comments = "Hello from VicodinES and The Narkotic Network ...we mean you no harm" Keywords = " | VicodinES | Klonopin.Jones | Fastin.Blee | "
The virus contains the following text, which it never displays:
W97M/Cartman.Poppy By VicodinES (The Kyle of The Virus Underground) Macro Virus for Word 97 "The Fat-a** Macro97 Engine v2.3 featuring Starvin' Marvin Technology"
Cartman creates the msfile.bat file, executes it and then deletes it. If the global template is write-protected, msfile.bat tries to delete all files from c:\progra~1\micros~1\templa~1 and from c:\progra~1\micros~2\templa~1 directories.
Any attempt to open either Tools/Macro or Tools/Templates menu will destroy all information in the active document. In this case, Cartman displays a dialog box prompting to save the file and then it tries to connect to the Yahoo web site searching for:
Finally Cartman displays a message box with the following text:
The Narkotic Network You Killed Kenny, You Bastard! OK
After this, the virus exits Word.
If there are no documents currently open in Word, the virus does not attempt to connect to Yahoo. It will only display the same message box.
W97M/VMPCK1.I gets control when an infected document is opened. At this point it disables the built-in macro virus protection and infects the global template.
After that every document opened in Word will be infected.
This virus has a destructive payload that activates on every Thursday. On that day, it replaces "c:\autoexec.bat" with the following text file:
This should be your Autoexec.bat file But now, I'm afraid, it's just a text file That will teach you to feed me with fish STOP ALL NUCLEAR TESTING IN THE THIRD WORLD
When an infected document is saved with "File/Save As" there is a 1/3 chance that the virus displays an input box with the following text:
Hello! I'm Food.Eddshead, and I am hungry! If you want to continual using Word you must feed me. Be careful, some foods make me ill, and you don't want to make me angry - do you?
This dialog can be passed with a pass phrase "chips". However, phrases "fish", "sausages", "beef burgers" and "ham burgers" will cause the payload to activate at once.
When Word is closed, the virus attempts to infect all documents with extension ".doc" from the current directory.
W97M/VMPCK1.BG is a macro virus that activates when an infected document is opened.
When it gets control, it disables the built in macro virus protection and the following menu selections: "Tools/Macro", "Tools/Templates & Add-Ins...", "Tools/Customize", "View/Toolbars" and "Edit/Select All".
Then it infects the global template. After that it will infect every document that is created, opened, closed or saved. It also hooks "Tools/AutoCorrect" and "Tools/Options" menus to avoid detection.
This virus has a payload that activates when the minutes of the system time are more than 54 or less than 6. When this happens, the virus switches the setting "Tools/Options/General/Blue background, white text" on and adds a number of AutoCorrect entries in different colors.
W97M/VMPCK1.BR is a slightly modified variant of W97M/VMPCK1.BG.
W97M/VMPCK1.BU is a slightly modified variant of W97M/VMPCK1.I.
When an infected document is opened, W97M/VMPCK1.BY creates a temporary file "C:\XIX.DRV" and infects the global template. After that it infects every document that is opened.
The virus makes the following modifications to the document summary information:
Author: "VOTA NAO A REGIONALIZACAO! SIM AO REFORCO DO MUNICIPALISMO!" Subject: "JOAO JARDIM x8?! PORRA! DIA 8 VOTA NAO!" Comments: "A REGIONALIZACAO E UM ERRO COLOSSAL!"
Furthermore, it hooks "Tools\Macros\Macro", "Tools\Macros\Visual Basic Editor" and "File\Templates" menu selections making them unusable. When the virus infects or when the user attempts to access one of the menus mentioned above, there is a 1:100 chance that the virus displays a message box with the following text:
Dia 8 de Novembro VOTA NAO a regionalizacao!
W97M/VMPCK1.BY hooks the "Help/About" menu as well, replacing the About dialog with a message box:
Joao Jardim x8?! Porra! Dia 8 Vota NAO!
On every 8th day of each month the virus activates its payload. The payload searches for the text:
and replaces it with the following text:
nao a regionalizacao!
Then the virus removes "Edit/Undo", "Edit/Repeat Replace..." and "Edit/Replace..." menu selections and saves the active document.
W97M/VMPCK1.DD is similar to W97M/VMPCK1.BY.
This variant replaces the "Help/About" dialog with a message box that contains the following text:
CAPut! by --=|| N|c0t|N ||=-- (c) 1998
It also hooks "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus with a message box:
Word Basic Err = 7
W97M/VMPCK1.DD activates its payload at random times. When the payload activates, the virus replaces all occurences of "19" in the active document with a text "CAPut!'".
The virus also replaces the comment from the document summary with a text:
JU$t bEEn CAPuted!
Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure