ZMK

Classification

Malware

Virus

W32

World Cup Fever, WorldCup98

Summary

ZMK is a family of simple Word macro viruses.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This variant is trying to use the Soccer World Cup 98 as a gimmick to get publicity.

WM/ZMK.J activates on the 12th of July (the day of the championship match of World Cup 98).

When an infected user opens Word that day, a pop up screen will display a message in French:

Virus WorldCup98
VIVE LA COUPE DU MONDE 98!!!!
(In English: Viva the WorldCup 98!)

 

Then another dialog:

Hip Hip Hourra!!!!
J'espere que tu aime le football...
(I hope you like soccer...)
 

Then the virus asks the user to choose his favourite for the champioship, with the following choices:

  • Brazil
  • Spain
  • England
  • Italy
  • Mexico
  • Argentina
  • France
  • Yogoslavia
  • German

After this, the virus selects a team by random. If the teams match, the virus displays:

Bravo!!! 			

If the user lost in his bet:

Dommage pour toi, tu as PERDU...mon choix était:...
(Pity for you, you have lost....my choice was....)

The same activation routine is called by random if an infected document is opened exactly on the 12th second of a minute.

The virus also contains this text:

ZeMacroKiller98 est heureux ladédier ce virus
o tous ceux qui aime FOOTBALL
(ZeMacroKiller98 is happy to dedicate this virus
to everyone who likes soccer)
 

The virus also has two random activation routines. First one of these attempts to overwrite the C:\AUTOEXEC.BAT file with this:

  • Cls
  • Echo La coupe du monde 98 c'est génial!!!!
  • Echo y|Format c: /u /v:WorldCup98
  • Echo o|Format c: /u /v:WorldCup98

The second one tries to delete these files:

  • C:\DOS\*.*
  • C:\WINDOWS\COMMAND\*.*
  • C:\MSDOS.SYS

Variant:ZMK.J

This variant is trying to use the Soccer World Cup 98 as a gimmick to get publicity.

WM/ZMK.J activates on the 12th of July (the day of the championship match of World Cup 98). When an infected user opens Word that day, a pop up screen will display a message in French:

Virus WorldCup98 VIVE LA COUPE DU MONDE 98!!!! (In English: Viva the WorldCup 98!) Then another dialog: Hip Hip Hourra!!!! J'espere que tu aime le football... (I hope you like soccer...)

 

Then the virus asks the user to choose his favourite for the championship, with the following choices: Brazil Spain England Italy Mexico Argentina France Yogoslavia German

After this, the virus selects a team by random. If the teams match, the virus displays:

Bravo!!! If the user lost: Dommage pour toi, tu as PERDU...mon choix ?it:... (Pity for you, you have lost....my choice was....)

 

The same activation routine is called by random if an infected document is opened exactly on the 12th second of a minute.

The virus also contains this text:

ZeMacroKiller98 est heureux lad?er ce virus o tous ceux qui aime FOOTBALL (ZeMacroKiller98 is happy to dedicate this virus to everyone who likes soccer)
			

The virus also has two random activation routines. First one of these attempts to overwrite the C:\AUTOEXEC.BAT file with this:

Cls Echo La coupe du monde 98 c'est g?al!!!! Echo y|Format c: /u /v:WorldCup98 Echo o|Format c: /u /v:WorldCup98 			

The second one tries to delete these files:

  • C:\DOS\*.*
  • C:\DOS\*.*
  • C:\WINDOWS\COMMAND\*.*
  • C:\MSDOS.SYS C:\IO.SYS