This is a class module macro virus for Word97 documents and templates. This virus will disable the macro warning notification within Word97. This virus will also infect systems which have updated to SR1 update and above. This virus has dangerous date activated payloads.
This virus hooks the Word event of opening documents by the use of the subroutine named "Document_Open". This virus uses a self-check method to identify itself in prospective host documents by searching macro code in documents opened for a specific string. This method was originally used by the virus W97M/Marker.
This virus will create a file which is an index of files on the local machine if the day of the week is Monday. The types of files depends on a random selection by the virus. There is a 1 in 5 chance for any of these file types to be scanned for and indexed into a file named "IOBuff#.vxd" where # is the random selection:
1 = "*.doc"
2 = "*.bat"
3 = "*.sys"
4 = all files
5 = "*.ini"
Due to the method that the index file is created, the file "IOBuff#.vxd" will be appended to such that it could contain a duplicate list of filenames, or there could be several instances of this file in the root of the hard drive.
This index file is created for a devious purpose. This virus searches for each occurrence of the .vxd index file and performs the following actions:
If c:\IOBuff1.vxd exists, open each document listed in this file in an effort to infect all documents on the hard drive.
If c:\IOBuff2.vxd exists, open each .BAT file listed and overwrite the contents with this data:
"REM ** This Bat File Has Violed By "
"REM ** Your PC Is Not Secure System"
"prompt F*** You!!$g"
If c:\IOBuff3.vxd exists, open each .SYS file listed and overwrite it with this data:
"REM Warning In the file (filename.sys)!!"
"REM This Sys File can only operate with"
"REM Operating Systems Powerfull and Secures"
"FILES = 1"
"BUFFERS = 1"
If c:\IOBuff4.vxd exists, open each file listed and replace it with this data:
" Warning!: The File: (filename)
" Is Damaged. I`m Sorry!"
"Reinstall Your System..."
This of course is the most damaging of the payloads. It appears either the virus author got bored or found the 5th file c:\IOBuff5.vxd not important to modify or use.
Additional date payloads include document property modifications on the 14th and 28th of any month. If either of these dates are encountered, the current infected document properties are modified in the following ways:
Title = "Make The Love!! Not The War !!"
Author = "***< C & A V i r >***"
Keywords = "ALT + , ++, "
There are other randomly selected payloads which are numerous but include setting modifications such as some of the following:
Enabling or disabling of options:
"Check Grammar As You Type"
"Check Spelling As You Type"
"Show Grammatical Errors"
"Show Spelling Errors"
Commandbar or menu settings:
"Show Large Buttons"
"Display Vertical Scroll Bar"
"Line numbering by 3"