For Consumer

Virus Profile: W97M/WMVG.c

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/21/2002
Date Added: 4/10/2002
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4072
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The above message displayed if day is 31st of the month. The above registry key present and the presence of the files:

  • C:\Windows\<APPLICATION.USERNAME>.sys
  • C:\Windows\Backup.vbs
  • C:\Windows\Backup.drv

Methods of Infection

Opening an infected document will directly infect the local Word environment and any document opened thereafter.
   

Virus Characteristics

This threat is detected as W97M/Generic and infects Word 97 and Word 2000 documents. On closing an infected document the virus will disable the virus protection feature. The status bar in the application will also be removed. Security level will be set to Low for Word 2000 and the Tools/Macro/Security feature will be disabled.

W97M/WMVG.c will output its source to
C:\Windows\.sys Example: C:\Windows\Jane.sys. This file is not infected. The VBS file C:\Windows\Backup.vbs is dropped and the virus will use this script to reinfect the Word environment. The following registry key is modified:

  • "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "WMVG" "C:\Windows\Backup.vbs"

The script file is detected as VBS/Sunflower.gen. Backup.vbs also drops another file C:\Windows\Backup.drv, which contains only the macro source and is not infected.

On 31st day of month, the following message will be displayed:

   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)