For Consumer

Virus Profile: W97M/Bablas.aj

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/23/2000
Date Added: 11/8/2001
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4093
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Methods of Infection

Aliases

Word97Macro/Bablas.AJ (CA), Macro.Word97.Bablas.aj (AVP), W97M/Bablas.AJ (F-Prot), W97M/Bablas.AJ (Panda), W97M_BABLAS.AJ (Trend), WM97/Bablas-AJ (Sophos)
   

Virus Characteristics

This virus executes when the AutoExec subroutine is called. It immediately disables auto-macros, the SaveNormal prompt, the SaveProperties prompt and the macro warning box.

It sets the "RegisteredOrganization" and "RegisteredOwner" values in the "HKLM\Software\Microsoft\Windows\CurrentVersion" to "Sura Agung Computer" and "Ophay Busisnes Solution", respectively. This virus changes the "LongDate" value in the "HKCU\Control Panel\International" to "Sura Agung Computer, dddd dd MMMM yyyy", and adds the "Info" and "Info2" values to the "HKLM\Software\Microsoft\Windows\CurrentVersion\Detect" key with the values "Your Computer Is Already Infected With OBSVirus" and "Please Contact OBS at 021-6506287 or your computer will be HangUp", respectively.

The virus executes the "FileNewdefault" subroutine (described below). Then it checks each module in the GlobalTemplate for a module named "OBSv2904" and "OBS". If it finds the "OBS" module, the virus changes the status bar caption to read: "Alm.Midiawaty Is Upgrading It Self From Ophay Bussines Solution to " & the & " to for virus protection...". It then deletes the module using OrganizerDelete, and adds the "OBSv2904" module to the GlobalTemplate from the ActiveDocument using the OrganizerCopy method.

The virus checks this same object’s name (which will now be an invalid object) to see if it matches either "OBSv2904" or "ThisDocument". Since it will not match, the virus changes the active window caption to: "Found Virus" & & " in the Normal Template...". It then changes the status bar caption to read: "Ophay Bussines Solution will automatically removing Virus " & & " in Normal Template...".

The virus makes the computer beep 500 times, and changes the status bar to "Removing Virus " & & " in Normal Template to protect your global document...Please Wait!!" It then attempts to delete the module using OrganizerDelete.

This will not generate an error because the virus writer uses an On Error Goto statement, which tells the virus to ignore all errors and continue on so that the user never sees an error. On the first error generated, the virus will return from the subroutine and continue normal operation. If the virus does not find a module in the GlobalTemplate named "OBSv2904", it copies itself to the GlobalTemplate from the ActiveDocument using the OrganizerCopy method.

If the day is the 1st, 11th, 20th, 23rd, 24th, or the 29th, the virus will create a file named "OBS.html" on the desktop. The html file only contains some mailto: commands. After the file is created, the virus changes the caption of Word and the ActiveDocument back to the default settings.

When the "Tools>Options" menu item is chosen, the virus turns the SaveNormal prompt, the virus warning dialog, the SaveProperties prompt on and shows the Options dialog. After the dialog is closed, the virus turns all of these off and changes the registry keys as described in the AutoExec subroutine above.

When the "Tools>Macro>Macros..." or "Tools>Templates and Add-Ins..." menu items are chosen, or when the visual basic editor is started; the virus changes the applications caption to "Don’t Forget", the active window caption to "You try to remove Virus ScanMacro OBS.", and the status bar caption to "Alm.Midiawaty trying to remain you, Please Wait...". The virus makes the computer beep 501 times, changes the captions all back to their defaults and displays the following message:

"              Alm.Midiawaty ,SE."
"Alm.Midiawaty trying to remain you"
"To Build The World a Better Place for Living."
"Don't Touch Me!!!"
"Don't try it again!!!"
When a file is opened (FileOpen subroutine), the virus disables WordBasic auto-macros and attempts to show the Open dialog. If it succeeds, the virus checks each module in the ActiveDocument for a module named "OBSv2904" or "OBS". If the virus finds a module named "OBS", it changes the status bar caption to "Upgrading Database Ophay Bussines Solution to " & the Active Document’s Name & " for virus protection...". It then deletes the module using the OrganizerDelete method, and copies the "OBSv2904" module from the GlobalTemplate to the ActiveDocument using the OrganizerCopy method. It checks the same module’s name (which does not exist anymore) to see if it equals "ThisDocument" or "OBSv2904" (it will not), and if it doesn’t, the virus will change the applications caption to: "OBS", the active window’s caption to "Found Virus " & the module’s name & " in " & the active document’s name & "...", and the status bar caption to: "Ophay Bussines Solution will automatically removing Virus " & the module’s name & " in " & the active document’s name & "....".

The virus makes the computer beep 500 times and changes the captions back to their default values. This virus changes the status bar caption to "Removing Virus " & the module’s name & " in " & the active document’s name & "...Please Wait !!!" It then removes the module using OrganizerDelete, and the status bar caption is changed to "Virus " & the module’s name & " in " & the active document’s name & " was removed.". This code will not work correctly all the time, but will not generate any errors because the virus writer uses the On Error Goto statement. If the virus did not find a module named "OBSv2904", it changes the status bar caption to "Creating Database Ophay Bussines Solution to " & the active document’s name & " for virus protection...", and uses the OrganizerCopy method to copy the "OBSv2904" module from the GlobalTemplate to the ActiveDocument.

If the day is the 1st, 11th, 20th, 23rd, 24th, or the 29th, the virus creates a file named "OBS.html" on the desktop. The html file only contains some mailto: commands. The virus checks the day and the month. The following could occur:

If the date is January 1st, the virus will change the applications caption to "Happy Birthday to OphaySR and Good Luck...", the status bar caption to "Alm.Midiawaty remain you every 20 January . . . " and will type:

Happy Birthday to OphaySR and Good Luck...

Ophay was born in JAKARTA, 20 JANUARY 1977. She was Graduated from SMAN 6 High School and He've been college on STIE IBiI. Happiness...Joyless always cause OphaySR & God Love Me. But, Someday I Will Come To You. On a Paradise City, I Hope ... So, come and join with me in heaven, Someday.
Ophay SR
Always and Forever
Remain on 20 January
OBS@Yahoo.Com

If the date is May 24th, the virus will change the applications caption to "My Wedding Day still remain on mind ..." and the status bar caption to "Alm.Midiawaty remain you every 24 Mei . . . " and will type:

Happy Wedding Day to OphaySR & Alm.Midiawaty and Good Luck...

OphaySR was born in Jakarta, 20 January 1977. Midi was born in SURABAYA, 29 Desember 1975. People said We're best couple and God take her to heaven on 23 November 1997. Happiness...Joyless is always be, cause God Love Us. But, Someday I wishes come on the Wedding Dress again in Up there, I Hope ... So, On The Wedding Dress again, Someday.
Ophay SR & Midiawaty
Always and Forever
Remain on 24 Mei
OBS@Yahoo.Com

If the date is September 18th, the virus will change the applications title to "Happy Birthday to Dewi .N and Good Luck..." and the status bar caption to "Alm.Midiawaty remain you every 18 September . . . " and will type:

Happy Birthday to Dewi .N and Good Luck...

Dewi was born in JAKARTA, 18 September 1978. OphaySR & God Love You. I Hope ... So, On The Wedding Dress, Someday.
Ophay SR & MD
Always and Forever
Remain on 18 September
OBS@Yahoo.Com

If the date is November 2nd, the virus will change the applications title to "Happy Birthd
   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95