Virus Characteristics
This threat is detected as W97M/Vmpck.gen. On opening an infected document the virus will disable the macro warning protection. Tools/Macro and Tools/Templates and add-ins menu bars will be removed. Tools/Macro/ Visual Basic editor will be disabled. The virus will change the user details in File/Properties/Summary - Title = Alamat, Subject = F*ck the system!, Author = Lucky Warrior, Comments = Copyright (c) 1999 Bgy. Tiguib, Oras, Eastern Samar.
The virus will export its code to c:\windows.dat. This file is not infected. The virus contains a payload for each day of the month.
If day is 1st of any month, the virus will insert the following message into the document: Alamat brought to you by Lucky Warrior
If day is 2nd of any month, the virus will disable the Table menu bar.
If day is 3rd of any month, the virus will disable the Help menu bar.
If day is 4th of any month, the virus will delete c:\*.*.
If day is 5th of any month, the virus will delete the following AV files
- C:\progra~1\Drsolo~1\Anti-V~1\*.*
- C:\Program Files\Norton~1\*.*
- C:\progra~1\mcafee\viruss~1\*.*
- c:\progra~1\pc-cil~1\*.*
If day is 6th of any month, the virus will delete c:\Windows\*.*
If day is 7th of any month, the virus will save the document with the password =
AlamatIf day is 8th of any month, the virus will insert the following text into the document:
Your're infected with the Alamat virus! and then print it out.
If day is 9th of any month, the virus will edit the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner" = "Lucky Warrior"If day is 10th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*
If day is 11th of any month, the virus will delete characters.
If day is 12th of any month, the virus will add the hyperlink http://www.playboy.com to the document.
If day is 13th of any month, the virus will display the message "Ms Word is suffering from unknown virus!"
If day is 14th of any month, the virus will edit the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeCaption" = "Lucky Warrior"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeText" = "Welcome to the world of Alamat!" If day is 15th of any month, the virus will replace all occurances of "of" to "Alamat". It will also delete the Edit/Replace menu bar.
If day is 16th of any month, the virus will disable the Office Assistant and the cursor.
If day is 17th of any month, the virus will change the Word Application caption to
AlamatIf day is 18th of any month, the virus will disable the File menu bar.
If day is 19th of any month, the virus will exit Word Application.
If day is 20th of any month, the virus will delete
c:\Progra~1\System\*.* If day is 21th of any month, the virus will disable the
Edit menu bar.
If day is 22th of any month, the virus will disable the
View menu bar.
If day is 23th of any month, the virus will disable the
Insert menu bar.
If day is 24th of any month, the virus will disable the
Format menu bar.
If day is 25th of any month, the virus will delete the following AV files
- C:\progra~1\Drsolo~1\Anti-V~1\*.*
- C:\Program Files\Norton~1\*.*
- C:\progra~1\mcafee\viruss~1\*.*
- c:\progra~1\pc-cil~1\*.*
If day is 26th of any month, the virus will exit Windows.
If day is 27th of any month, the virus will delete the following AV files
- C:\progra~1\Drsolo~1\Anti-V~1\*.*
- C:\Program Files\Norton~1\*.*
- C:\progra~1\mcafee\viruss~1\*.*
- c:\progra~1\pc-cil~1\*.*
If day is 28th of any month, the virus will edit the following user details : UserName = "Lucky Warrior", UserInitials = "LW" and UserAddress = "Bgy. Tiguib, O.E.S."
If day is 29th of any month, the virus will disable the
Window menu bar.
If day is 30th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*