Products
- Cross Device
- PC & Mac
- Mobile/Tablet
- Other Services
  - McAfee Virus Removal Service
  - View All
- Free Tools
Virus Information
Security Advice
Support
Free Trials

Virus Profile: W97M/Opey.bg

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	2/5/2003
Date Added:	2/26/2003
Origin:	Unknown
Length:	N/A
Type:	Virus
Subtype:	Macro
DAT Required:	4247
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Payloads mentioned above. Help/About producing the message displayed above.

Methods of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.

Aliases

W97M.Hopel.A (NAV)

View Virus Characteristics

Virus Characteristics

This threat is detected as W97M/Opey.bg. The virus contains one module - Pukka and is partly encrypted. Tools/Macro and Tools/Visual Basic Editor are disabled. The macro warning protection will also be disabled. The virus may save itself in the hard coded directory as C:\WINDOWS\COMMAND\nt.txt. It may also modify the autoexcec.bat and drop C:\WINDOWS\COMMAND\t.bat and C:\windows\command\tmp.bat.

If the date is is greater than the 1st of November 2002, the virus will change the following details in Tools/Options/User Information:
Name = "PUKKA", Initials = "^^^", Mailing Address = "PHILIPPINES". Also, details in File/Properties/Summary will have the following changes:
Author = "PUKKA" and Keywords = "HOPELOSJAVSI". The virus may modify printing and page setup options. Also settings in Tools/Options may be modifed.

Help/About will display the following message:

This virus has different payloads. On a random day, the virus will modify the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, "RegisteredOrganization" = "HOPELOSJAVSI"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, "RegisteredOwner" = "PUKKA"

If day is 21st of October, the following registry changes will be made:

HKEY_USERS\.Default\Control Panel\International, "s1159" = "PUKKA"
HKEY_USERS\.Default\Control Panel\International, "s2359" = "PUKKA"
HKEY_USERS\.Default\Control Panel\International, "s1159" = "AM"
HKEY_USERS\.Default\Control Panel\International, "s2359" = "PM"

The virus also has a random day and weekday activated payloads. If the random day lands on one of the following weekdays, one or more of the following payloads will be executed:

MONDAY:

The file c:\windows\system\epson9.drv may be deleted
The following files may be renamed:
- c:\windows\system\netbeui.vxd to c:\windows\system\iuebten.vxd
- c:\windows\command\command.com to c:\windows\command\dnammoc.com
- c:\command.com to c:\dnammoc.com
- c:\windows\system\mouse.drv to c:\windows\system\esuom.drv
The virus may set the document password to 013000
The following registry change may be made:
- HKEY_USERS\.Default\Control Panel\International, "sDecimal"= "$

TUESDAY:

The following files may be renamed:
- c:\windows\system\cm8330.drv to c:\windows\system\0338mc.drv
- c:\windows\system\cm8330.vxd to c:\windows\system\0338mc.vxd
- c:\windows\system\vmm32.vxd to c:\windows\system\23mmv.vxd
The virus may change the page setup
The following registry change may be made:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  MS-DOSOptions\DOSSettings, "Config.Sys" = "DOS=SINGLE"

WEDNESDAY:

The following files may be renamed:
- c:\windows\system\sis597m.drv to c:\windows\system\m795sis.drv
- c:\windows\system\sis597m.vxd to c:\windows\system\m795sis.vxd
- c:\windows\explorer.exe to c:\windows\rerolpxe.exe
- c:\windows\system\vmm32.vxd to c:\windows\system\23mmv.vxd
The virus may set the document password to 013000
The virus may change the page setup.
The virus may convert characters in the document to uppercase

THURSDAY:

The following files may be renamed:
- c:\windows\system\dplay.dll to c:\windows\system\yalpd.dll
- c:\windows\system\dplayx.dll to c:\windows\system\xyalpd.dll
The virus may remove the scrollbars.
The virus may replace all instances of the word "the" with "^o^"
The virus may set the document password to 013000

FRIDAY:

The following files may be renamed:
- c:\windows\system\sage.dll to c:\windows\system\egas.dll
The virus may change the print settings.
The virus may disable the Formatting and Standard command bars.

SATURDAY:

The following file may be renamed:
- c:\windows\system\comdlg32.dll to c:\windows\system\23gldmoc.dll

SUNDAY:

The virus may remove some Formatting command bars.

On a random day the virus may change some print settings and rename the following files:

c:\windows\system\ndis.vxd to c:\windows\system\sidn.vxd
c:\windows\system\nwlink.vxd to c:\windows\system\knilwn.vxd
c:\windows\system\vredir.vxd to c:\windows\system\riderv.vxd

Back To Overview View Removal Instructions

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

View Virus Characteristics