For Consumer

Virus Profile: W97M/Piece@mm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/28/2000
Date Added: 8/4/2000
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4089
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

During infection by this virus, it will attempt to distribute a copy of itself via MAPI email to the first 50 available names in the Outlook address book. After the email routine, this virus modifies the registry with this information:

HKCU\Software\Microsoft\Office\
"! Ghauri2 !" = "This machine salutes to GodOfBasic"

There is a one in 1000 chance that the startup configuration file AUTOEXEC.BAT will be modified with 1000 occurrences of an output message on the following dates:

March 25:
"25th March 1997, A memorable day of my life? ...Ghauri2"

May 28:
"This machine is struck by the great GHAURI2 Virus !!! ...coded by GodOfBasic"
June 11:
"Say Happy Birthday to GodOfBasic! He is" [year - 1978] " years old today."

August 14:
"It's 14th Aug. Say Happy Birthday to Pakistan !!! ...Ghauri2"

This virus will attempt to delete all *.INI files in the c:\windows folder on May 28.

Methods of Infection

This virus hooks the Word event handler of opening documents in order to run its code. Once the global template NORMAL.DOT is infected, any document used on the system will become infected.

Aliases

W97M/Ghauri@mm, WM97/Melissa-BI (Sophos)
   

Virus Characteristics

This is a class module macro virus for Word97/2000 documents and templates. This virus may arrive by MAPI email and also contains date activated payloads, one of which attempts to delete *.INI files from the C:\WINDOWS folder.

This virus will rename the first VB Project normally named "ThisDocument" to "Ghauri2" during infection of host files. This virus checks if the global template is infected, if not it runs the MAPI email routine.

This virus may arrive by MAPI email in this format:

Subject = "A Piece of Information From " Infected User Name
Body = "Here is some thing about EME College that you better know..."
Attachment = infected file

After this virus infects the local user and sends itself via MAPI email, it modifies the registry with this information:

"HKCU\Software\Microsoft\Office\"
"! Ghauri2 !" = "This machine salutes to GodOfBasic"

This virus contains the following comments at the end of its code which is not displayed:

'(c); coded by GodOfBasic
'Ghauri2

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.