Virus Profile: W97M/Beko.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/13/2002
Date Added: 11/22/2002
Origin: Unknown
Length: N/A
Type: Virus
Subtype: E-mail
DAT Required: 4072
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The presence of the directory CokeBoy in the windows directory containing .vbs with random filenames. The above messages displayed.

Methods of Infection

Opening an infected document will drop the .vbs file which will use Outlook to mail out infected document to all in Addresslist.

Aliases

W97M.Beko@mm (NAV), WM97/Beko-A (Sophos)
   

Virus Characteristics

This threat is detected as W97M/Generic. The virus contains one module -NewMacros. It disables macro warning protection in Word97 and sets the security level for Word2K and WordXP to low.

The virus does not spread to the Word Environment nor other word documents due to an error in code. It does however create a subdirectory CokeBoy in windows directory and drops a .vbs file with random filename to this directory. This .vbs file will use Outlook to send an email to all in Addresslist with the following information:

  • Subject: [document name]
  • Body:A confidential document is for you.. only for u!
  • Attachment: infected document.

The virus then modifies the following registry setting to execute the virus on startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, [random name] = [random name].vbs

If day is 29th of any month, the following message will be displayed:

Help/About will display the following message:

and can insert up to 10 times the following text:

I'm Coke, a bottled drink!! I'm not dangerous.You are being hit by the evil Coke worm! CokeBoy newest drink worm.. you gotta see it! CokeBoy newest drink worm.. you gotta believe it! CokeBoy newest drink worm.. you gotta taste! CokeBoy newest drink worm.. you gotta get it! CokeBoy newest drink worm.. you gotta buy it! CokeBoy newest drink worm.. you gotta try it! CokeBoy newest drink worm.. you gotta drink it! CokeBoy newest drink worm.. you gotta love it!
   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95