Products
- Cross Device
- PC & Mac
- Mobile/Tablet
- Other Services
  - McAfee Virus Removal Service
  - View All
- Free Tools
Virus Information
Security Advice
Support
Free Trials

Virus Profile: W97M/Beko.a@MM

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	5/13/2002
Date Added:	11/22/2002
Origin:	Unknown
Length:	N/A
Type:	Virus
Subtype:	E-mail
DAT Required:	4072
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The presence of the directory CokeBoy in the windows directory containing .vbs with random filenames. The above messages displayed.

Methods of Infection

Opening an infected document will drop the .vbs file which will use Outlook to mail out infected document to all in Addresslist.

Aliases

W97M.Beko@mm (NAV), WM97/Beko-A (Sophos)

View Virus Characteristics

Virus Characteristics

This threat is detected as W97M/Generic. The virus contains one module -NewMacros. It disables macro warning protection in Word97 and sets the security level for Word2K and WordXP to low.

The virus does not spread to the Word Environment nor other word documents due to an error in code. It does however create a subdirectory CokeBoy in windows directory and drops a .vbs file with random filename to this directory. This .vbs file will use Outlook to send an email to all in Addresslist with the following information:

Subject: [document name]
Body:A confidential document is for you.. only for u!
Attachment: infected document.

The virus then modifies the following registry setting to execute the virus on startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, [random name] = [random name].vbs

If day is 29th of any month, the following message will be displayed:

Help/About will display the following message:

and can insert up to 10 times the following text:

I'm Coke, a bottled drink!! I'm not dangerous.You are being hit by the evil Coke worm! CokeBoy newest drink worm.. you gotta see it! CokeBoy newest drink worm.. you gotta believe it! CokeBoy newest drink worm.. you gotta taste! CokeBoy newest drink worm.. you gotta get it! CokeBoy newest drink worm.. you gotta buy it! CokeBoy newest drink worm.. you gotta try it! CokeBoy newest drink worm.. you gotta drink it! CokeBoy newest drink worm.. you gotta love it!

Back To Overview View Removal Instructions

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

View Virus Characteristics