Virus Profile: W97M/

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/5/2003
Date Added: 2/26/2003
Origin: Unknown
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4247
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Payloads mentioned above. Help/About producing the message displayed above.

Methods of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.


W97M.Hopel.A (NAV)

Virus Characteristics

This threat is detected as W97M/ The virus contains one module - Pukka and is partly encrypted. Tools/Macro and Tools/Visual Basic Editor are disabled. The macro warning protection will also be disabled. The virus may save itself in the hard coded directory as C:\WINDOWS\COMMAND\nt.txt. It may also modify the autoexcec.bat and drop C:\WINDOWS\COMMAND\t.bat and C:\windows\command\tmp.bat.

If the date is is greater than the 1st of November 2002, the virus will change the following details in Tools/Options/User Information:
Name = "PUKKA", Initials = "^^^", Mailing Address = "PHILIPPINES". Also, details in File/Properties/Summary will have the following changes:
Author = "PUKKA" and Keywords = "HOPELOSJAVSI". The virus may modify printing and page setup options. Also settings in Tools/Options may be modifed.

Help/About will display the following message:


This virus has different payloads. On a random day, the virus will modify the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, "RegisteredOrganization" = "HOPELOSJAVSI"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, "RegisteredOwner" = "PUKKA"
If day is 21st of October, the following registry changes will be made:
  • HKEY_USERS\.Default\Control Panel\International, "s1159" = "PUKKA"
  • HKEY_USERS\.Default\Control Panel\International, "s2359" = "PUKKA"
  • HKEY_USERS\.Default\Control Panel\International, "s1159" = "AM"
  • HKEY_USERS\.Default\Control Panel\International, "s2359" = "PM"

The virus also has a random day and weekday activated payloads. If the random day lands on one of the following weekdays, one or more of the following payloads will be executed:


  • The file c:\windows\system\epson9.drv may be deleted
  • The following files may be renamed:
    • c:\windows\system\netbeui.vxd to c:\windows\system\iuebten.vxd
    • c:\windows\command\ to c:\windows\command\
    • c:\ to c:\
    • c:\windows\system\mouse.drv to c:\windows\system\esuom.drv
  • The virus may set the document password to 013000
  • The following registry change may be made:
    • HKEY_USERS\.Default\Control Panel\International, "sDecimal"= "$


  • The following files may be renamed:
    • c:\windows\system\cm8330.drv to c:\windows\system\0338mc.drv
    • c:\windows\system\cm8330.vxd to c:\windows\system\0338mc.vxd
    • c:\windows\system\vmm32.vxd to c:\windows\system\23mmv.vxd
  • The virus may change the page setup
  • The following registry change may be made:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      MS-DOSOptions\DOSSettings, "Config.Sys" = "DOS=SINGLE"


  • The following files may be renamed:
    • c:\windows\system\sis597m.drv to c:\windows\system\m795sis.drv
    • c:\windows\system\sis597m.vxd to c:\windows\system\m795sis.vxd
    • c:\windows\explorer.exe to c:\windows\rerolpxe.exe
    • c:\windows\system\vmm32.vxd to c:\windows\system\23mmv.vxd
  • The virus may set the document password to 013000
  • The virus may change the page setup.
  • The virus may convert characters in the document to uppercase


  • The following files may be renamed:
    • c:\windows\system\dplay.dll to c:\windows\system\yalpd.dll
    • c:\windows\system\dplayx.dll to c:\windows\system\xyalpd.dll
  • The virus may remove the scrollbars.
  • The virus may replace all instances of the word "the" with "^o^"
  • The virus may set the document password to 013000


  • The following files may be renamed:
    • c:\windows\system\sage.dll to c:\windows\system\egas.dll
  • The virus may change the print settings.
  • The virus may disable the Formatting and Standard command bars.


  • The following file may be renamed:
    • c:\windows\system\comdlg32.dll to c:\windows\system\23gldmoc.dll


  • The virus may remove some Formatting command bars.

On a random day the virus may change some print settings and rename the following files:

  • c:\windows\system\ndis.vxd to c:\windows\system\sidn.vxd
  • c:\windows\system\nwlink.vxd to c:\windows\system\knilwn.vxd
  • c:\windows\system\vredir.vxd to c:\windows\system\riderv.vxd
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!