Virus Profile: W97M/Alamat

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/27/1999
Date Added: 12/4/2002
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4056
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The above payloads. The presence of the file c:\windows.dat.

Methods of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.

Aliases

WM97/Alamat-A (Sophos)
   

Virus Characteristics

This threat is detected as W97M/Vmpck.gen. On opening an infected document the virus will disable the macro warning protection. Tools/Macro and Tools/Templates and add-ins menu bars will be removed. Tools/Macro/ Visual Basic editor will be disabled. The virus will change the user details in File/Properties/Summary - Title = Alamat, Subject = F*ck the system!, Author = Lucky Warrior, Comments = Copyright (c) 1999 Bgy. Tiguib, Oras, Eastern Samar.

The virus will export its code to c:\windows.dat. This file is not infected. The virus contains a payload for each day of the month.

If day is 1st of any month, the virus will insert the following message into the document: Alamat brought to you by Lucky Warrior

If day is 2nd of any month, the virus will disable the Table menu bar.

If day is 3rd of any month, the virus will disable the Help menu bar.

If day is 4th of any month, the virus will delete c:\*.*.

If day is 5th of any month, the virus will delete the following AV files

  • C:\progra~1\Drsolo~1\Anti-V~1\*.*
  • C:\Program Files\Norton~1\*.*
  • C:\progra~1\mcafee\viruss~1\*.*
  • c:\progra~1\pc-cil~1\*.*
If day is 6th of any month, the virus will delete c:\Windows\*.*

If day is 7th of any month, the virus will save the document with the password = Alamat

If day is 8th of any month, the virus will insert the following text into the document: Your're infected with the Alamat virus! and then print it out.

If day is 9th of any month, the virus will edit the registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner" = "Lucky Warrior"

If day is 10th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*

If day is 11th of any month, the virus will delete characters.

If day is 12th of any month, the virus will add the hyperlink http://www.playboy.com to the document.

If day is 13th of any month, the virus will display the message "Ms Word is suffering from unknown virus!"

If day is 14th of any month, the virus will edit the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeCaption" = "Lucky Warrior"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeText" = "Welcome to the world of Alamat!"


If day is 15th of any month, the virus will replace all occurances of "of" to "Alamat". It will also delete the Edit/Replace menu bar.

If day is 16th of any month, the virus will disable the Office Assistant and the cursor.

If day is 17th of any month, the virus will change the Word Application caption to Alamat

If day is 18th of any month, the virus will disable the File menu bar.

If day is 19th of any month, the virus will exit Word Application.

If day is 20th of any month, the virus will delete c:\Progra~1\System\*.*

If day is 21th of any month, the virus will disable the Edit menu bar.

If day is 22th of any month, the virus will disable the View menu bar.

If day is 23th of any month, the virus will disable the Insert menu bar.

If day is 24th of any month, the virus will disable the Format menu bar.

If day is 25th of any month, the virus will delete the following AV files
  • C:\progra~1\Drsolo~1\Anti-V~1\*.*
  • C:\Program Files\Norton~1\*.*
  • C:\progra~1\mcafee\viruss~1\*.*
  • c:\progra~1\pc-cil~1\*.*
If day is 26th of any month, the virus will exit Windows.

If day is 27th of any month, the virus will delete the following AV files
  • C:\progra~1\Drsolo~1\Anti-V~1\*.*
  • C:\Program Files\Norton~1\*.*
  • C:\progra~1\mcafee\viruss~1\*.*
  • c:\progra~1\pc-cil~1\*.*
If day is 28th of any month, the virus will edit the following user details : UserName = "Lucky Warrior", UserInitials = "LW" and UserAddress = "Bgy. Tiguib, O.E.S."

If day is 29th of any month, the virus will disable the Window menu bar.

If day is 30th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*

   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95