W97M.Pri.Q / W97M.Prilissa.A
Detected as: W97M.Antisocial.G
Aliases: W97M.Melissa.W, W97M.Prilissa.A
Area of Infection: MS Word Document
Likelihood: Common
Characteristics: Polymorphic, Trigger
Description
The W97M.Pri.Q virus infects Word 97 documents. It also spreads by sending an
infected document as an attachment to an e-mail message. This is another
variant of
the W97M.Melissa.A virus. Because of the unknown virus and variant detection
technology in Norton AntiVirus, the currently virus definitions will detect
this new
virus as W97M.AntiSocial.G. This technology will allow Norton AntiVirus users
to detect and repair W97M.Pri.Q without having a signature for this specific
virus.
Symantec AntiVirus Research Center will update the virus definitions to detect
this virus as W97M.Pri.Q in the future virus definition files.
When an infected document is opened, the virus disables virus protection
security settings, conversion confirmation and recently opened file list. The
first time
the virus is executed on a system, it sends e-mail using MS Outlook to the
first 50 addresses in each of the address lists. The message contains
"Message From
{username}" in the subject line where {username} is the user name on the
system. The body of the message contains "This document is very Important
and you've GOT
to read this !!!". The infected document is sent as an attachment to the
message. The virus modifies the Windows registry so that it does not send
e-mail upon
subsequent execution of the virus.
Next, the virus checks the date on the system to trigger its payload. On Dec.
25, the following text is displayed in a message box:
©1999 - CyberNET
Vine…Vide…Vice…Moslem Power Never End…
You Dare Rise Against Me… The Human
Era is Over, The CyberNET Era Has
Come !!!
Then, the virus copies itself to the global template in NORMAL.DOT. Once,
NORMAL.DOT is infected, the virus infects documents when the file is closed
from Word.
It also disables the Tools/Macro menu so that the viral macros are hidden.
Some of the variable and function names in the viral code change upon
replication. The virus keeps a list of labels in its code. Upon infection, the
virus randomly
changes each of the labels to another label in the list.
Payload
On December 25, several payloads are triggered. The virus displays the message
box mentioned above. It also overlays several colored shapes onto the currently
opened document.
In addition, it overwrites the AUTOEXEC.BAT to format the C: drive and display
the following text upon the next reboot of the system:
Vine…Vide…Vice…Moslem Power Never End…
Your Computer Have Just Been
Terminated By -= CyberNET =- Virus !!!
This Information Aquired from Symantec:
http://www.symantec.com/avcenter/venc/data/w97m.prilissa.a.html