For Consumer

Virus Profile: W97M/Este

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/24/2000
Date Added: 2/25/2000
Origin: N/A
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4068
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of hidden files named "c:\IOBuff#.vxd" where # is a number between 1 and 6, existence of a hidden file "C:\IODocs.dll", document properties modified as mentioned above, files replaced or deleted as mentioned above. Macro warning when opening infected documents on non-infected systems.

Methods of Infection

Opening infected documents will directly infect the global template and any document used on the system there after.
   

Virus Characteristics

This is a class module macro virus for Word97 documents and templates. This virus will disable the macro warning notification within Word97. This virus will also infect systems which have updated to SR1 update and above. This virus has dangerous date activated payloads.

This virus hooks the Word event of opening documents by the use of the subroutine named "Document_Open". This virus uses a self-check method to identify itself in prospective host documents by searching macro code in documents opened for a specific string. This method was originally used by the virus W97M/Marker.

This virus will create a file which is an index of files on the local machine if the day of the week is Monday. The types of files depends on a random selection by the virus. There is a 1 in 5 chance for any of these file types to be scanned for and indexed into a file named "IOBuff#.vxd" where # is the random selection:

1 = "*.doc"
2 = "*.bat"
3 = "*.sys"
4 = all files
5 = "*.ini"

Due to the method that the index file is created, the file "IOBuff#.vxd" will be appended to such that it could contain a duplicate list of filenames, or there could be several instances of this file in the root of the hard drive.

This index file is created for a devious purpose. This virus searches for each occurrence of the .vxd index file and performs the following actions:

If c:\IOBuff1.vxd exists, open each document listed in this file in an effort to infect all documents on the hard drive.

If c:\IOBuff2.vxd exists, open each .BAT file listed and overwrite the contents with this data:
"REM ** This Bat File Has Violed By "
"REM ** Your PC Is Not Secure System"
"prompt F*** You!!$g"
"cls"
"command.com"

If c:\IOBuff3.vxd exists, open each .SYS file listed and overwrite it with this data:
"REM Warning In the file (filename.sys)!!"
"REM This Sys File can only operate with"
"REM Operating Systems Powerfull and Secures"
"REM ."
"FILES = 1"
"BUFFERS = 1"

If c:\IOBuff4.vxd exists, open each file listed and replace it with this data:
"*******************************"
" Warning!: The File: (filename)
" Is Damaged. I`m Sorry!"
"*******************************"
" "
"Reinstall Your System..."

This of course is the most damaging of the payloads. It appears either the virus author got bored or found the 5th file c:\IOBuff5.vxd not important to modify or use.

Additional date payloads include document property modifications on the 14th and 28th of any month. If either of these dates are encountered, the current infected document properties are modified in the following ways:
Title = "Make The Love!! Not The War !!"
Author = "***< C & A V i r >***"
Keywords = "ALT + , ++, "
There are other randomly selected payloads which are numerous but include setting modifications such as some of the following:

Enabling or disabling of options:
"Check Grammar As You Type"
"Check Spelling As You Type"
"Show Grammatical Errors"
"Show Spelling Errors"

Commandbar or menu settings:
"Show Large Buttons"
"Display Vertical Scroll Bar"

Document options:
"Line numbering by 3"

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.