For Home

Virus Profile: W97M/Assilem.H

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/17/2000
Date Added: 11/8/2001
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4092
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Methods of Infection

Aliases

Macro.Word97.Assilem.h (AVP), W97M/Assilem.H (F-Prot), W97M/Assilem.H (Panda), WM97/Assilem-H (Sophos), Word97Macro/Assilem (CA)
   

Virus Characteristics

This virus infects Word97 documents by checking the "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level" value. If a value exists it is changed to 1 (the lowest setting) and the virus disables the "Tools>Macros>Security..." menu item. If the value does not exist, the virus disables the "Tools>Macro" menu item, the virus warning dialog, the ConfirmConversions prompt and the SaveNormal prompt.

The virus checks the "HKCU\Software\Microsoft\Office\SRAT" value. If this value does not exist, or is not equal to "by Kwyjiboymi", the virus creates and/or sets the value to "by Kwyjiboymi".

The virus checks the ActiveDocument codemodule name. If the name is not "SRAT", it removes all code from the module, changes the module name to "SRAT" and sets an infection pointer to the ActiveDocument. The same process is applied to the GlobalTemplate.

If infecting the GlobalTemplate, the virus creates the "Document_Close" subroutine and inserts its viral code into the subroutine. If infecting the ActiveDocument, the virus creates the "Document_Open" subroutine, inserts its viral code into the subroutine and saves the ActiveDocument.

This virus has two payloads. The first will activate if the day is equal to the exact second upon infection or the day is the 19th. The latter payload will only activate if the day is the 19th.

If the first payload is executed, the virus will type "is it safe? (y/n)" to the ActiveDocument, attempts to remove 1 to 20 directories from the Program Files directory and prints "(¥)" to the ActiveDocument for each attempted removal. It then types "your lucky number is " & and the number of directories it tried to remove & "!". It then types "by the way, each (¥) represents a dead directory! guess what "& the number of directories it tried to remove & " means! anyway, tell me about yourself.. (¥) (SRAT)".

If the second payload is executed, the virus opens a file named "srat.19" in the "Windows\Temp" directory; but if that fails, the virus will open it in "C:\Temp" directory instead and will loop infinitely while printing "(¥)" to the file.

Variants

Variants information
Virus Name Type Subtype Differences
W97M/Assilem.j Virus Macro

This threat is detected as W97M/Assilem.gen. Disables Tools/Macro/Security and also Tools/Macro. Also disables the macro warning in Word97. If date is January 2000, the virus will change the registry setting HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" "0"
   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)