This threat is detected as W97M/Generic and contians one module - Trug. The virus disables the macro warning protection in Word and will also modify the registry key if day is 2nd or 18th day of the month
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "SystemSettingƒ = "C:\Windows\TRUG.vbs"
It may disable commandbars and Visual Basic Editor will display the message:
On the 27th day of the month, it will delete the existing c:\autoexec.bat and replace it with a modified version that will format the c: and d: drive. This file is detected as VBS/Trugbar. On the 2nd or 18th of the month, the virus will drop the file TRUG.vbs
into the hard coded directory c:\Windows\System
. This vbs file attempts to overwrite all vxd, drv, inf, cab, zip, dat, com, exe and dll and adding the .vbs extension to these files. Due to bug in VBScript code, this does not happen. This file is detected as VBS/Trugbar.