For Home

Virus Profile: W97M/Fool.k

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/14/2000
Date Added: 9/14/2000
Origin: Jakarta
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4096
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

At random, the virus will display the following message:
"SkRiPsI is SuCK"

If the month is January, February, March, April, May, June, or December then the content of the open word document(s) is erased.

On November 5 the following message is displayed:
"Happynes to all of you"

When the Help|About menu is selected the following message is displayed:
"Peace Words
Welcome to my world
Please enjoy your time
BEFORE YOUR DIE"

Choosing the TOOLS|MACRO menu results in this message being displayed:
"This message is displayed
Macro Function is not active
Never use IT"

Clicking OK will result in your CD-ROM drive opening and closing and this message being displayed:
"Did you enjoy your time?
Don't do it again OK!"

Clicking OK again repeats this pattern 15 times (unless a CD is in the drive in which case it will AutoPlay).

Clicking the TOOLS|OPTIONS menu turns the macro virus protection off in Word.

When File|Exit is selected the following actions occur:

The registered owner of the computer is changed to:
"FÖV"

This message appears:
"Please Turn-off your computer
Don't Click bellow"

Clicking the OK button results in the deletion of the following files:
C:\windows\command\*.*
C:\*.*
C:\progra~1\*.*

This message is then displayed:
"You aren't obey my order
May the God Bless You"

Methods of Infection

Opening an infected document or template will infect the global "Normal.dot" template.

"mIRC" is used as a transport method under certain conditions.

Aliases

W97M/Fool.bat, W97M/Fool.ini, W97M/Fool.src, W97M/Fool.vbs
   

Virus Characteristics

This is a Word 97 polymorphic macro virus with a Windows Scripting Host component. Infected documents contain a module named "Init". Opening this file drops two files on your hard disk:

C:\WINDOWS\SYSTEM\INIT.VBS
C:\WINDOWS\INIT.DRV

The following lines are added to the end of the C:\AUTOEXEC.BAT file:

ECHO OFF
CLS
ECHO ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·
ECHO º ***************************************** º
ECHO º * FÖV DJ * º
ECHO º ***************************************** º
ECHO º FÖV DJ wishes to thank the user º
ECHO º of this computer because you have º
ECHO º helped to spread the good words of peace! º
ECHO º ## FÖV DJ ## º
ECHO ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ
CLS

The following values are written to the registry:
HKLM\Software\McAfee\Scan95\ DAT=Just for FUN by FÖV
HKLM\Software\McAfee\Scan95\ DATFile=No need Anti Virus
HKLM\Software\McAfee\virusscan\ DAT=Don't Underestimate Me
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ init=C:\Windows\System\init.vbs

If the time in seconds for any minute is greater than 50 then a copy of the virus is written to C:\MIRC\DOWNLOAD\IRC-Rules.doc and the C:\MIRC\SCRIPT.INI is modified to send this file via mIRC

An attempt is made to delete the following files.
C:\Program Files\AntiViral Toolkit Pro\*.*
C:\Program Files\Command Software\F-PROT95\*.*
C:\Program Files\FindVirus\*.*
C:\Toolkit\FindVirus\*.*
C:\Program Files\Quick Heal\*.*
C:\Program Files\McAfee\VirusScan\*.*
C:\Program Files\Norton AntiVirus\*.*
C:\TBAVW95\*.*
C:\VS95\*.*

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.