For Consumer

Virus Profile: W97M/Nebo

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/2/2000
Date Added: 6/2/2003
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4072
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The above messages displayed. The presence of c:\Kefko.sys.

Methods of Infection

Opening an infected document will directly infect the local Word environment and any document opened thereafter.
   

Virus Characteristics

This threat is detected as W97M/Generic. The virus contains one module - Kefko. It will disable the macro warning protection for Word and exports its code to c:\Kefko.sys. This file is not infected.

The virus will change the Username to Dr.Virus. It will also add the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion RegisteredOwner = Dr.Virus
The following information will be added to File/Summary/Author = Dr.Virus, Comments = WM97.Kefko and Keywords = Všetko je OK.

The following AntiVirus files will be deleted:

  • C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*
  • C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*
  • C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*
  • C:\PROGRAMME\TBAV\TBAV.DAT
  • C:\TBAV\TBAV.DAT
  • C:\Programme\Norton Antivirus\V32scan.dll
  • C:\Programme\Norton Antivirus\Virscan.dat

On the 19th of any month, the following message will be displayed:

Tools/Macro, Tools/Visual Basic Editor, Format/Style and File/Templates will display the following message:

   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)