For Home

Virus Profile: W97M/Seqnum

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/30/1999
Date Added: 1/20/2000
Origin: N/A
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4060
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of file 8602.bas as mentioned above, relocation and/or removal of file WIN.INI on January 1 as mentioned above.

Methods of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.
   

Virus Characteristics

This is a class module virus for Word 97 documents. It is able to replicate under the SR-1 and above release of Word 97. It will turn off the macro warning feature of Word 97. This virus consists of a single module within the class stream usually named "ThisDocument". This virus creates a temporary text file which contains the virus code in a file usually named "8602.bas" in the Microsoft Office Application directory.

This virus is named W97M/Seqnum due to a variable used for tracking a document property called "ConsecutiveHyphensLimit". The value stored in this property is used to initialize a variable named "SeqNum".

This virus hooks the system event of opening documents in Word97 by the subroutine "Document_Open" thereby running its code. Another system event hooked is the closure of documents by the subroutine "Document_Close".

This virus has one payload which occurs on January 1st of any year. The file WIN.INI is located and moved to the Microsoft Office Application directory and renamed usually by the name "8602".

This virus has another payload which occurs on the 3rd day of the week (Wednesday) which adds a footer to infected documents of usually "8602@hnet.pen".

   
Use specified engine and DAT files for detection and removal. Check for relocated WIN.INI in the Microsoft Office Application directory and replace into the Windows directory. Remove footer detail added to infected documents manually.