Virus Profile: W97M/Cybernet@mm

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/25/2000
Date Added: 5/25/2000
Origin: Indonesia
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4080
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the file CYBERNET.XLS in the XLSTART folder of Office.

This virus contains the following date activated damaging payloads.
If this virus is run on August 17 (also known as Indonesia Independence Day) or December 25:

* the active document will be overlaid with randomly generated, random size and colored shapes

* the AUTOEXEC.BAT file is overwritten with code to (re)format the hard drive

* that the CONFIG.SYS file will also contain instructions which prevent the user from aborting or stopping the execution of the AUTOEXEC.BAT file * NOTE: the modification of AUTOEXEC.BAT and CONFIG.SYS will only affect Windows 9x clients due to Windows NT not using either of these startup configuration files.

* a message box is displayed with this detail:

"(C)2000 - CyberNET"
"Assalamualaikum Li Kulli Muslim...Moslem Power Never End..."
"Nothing Can Stop « CyberNET » Virus. Your System Has Already Infected !!!"
"Now...I Am Outta Here..."


* after the user clicks on the OK button, this virus will attempt to exit Windows.

Methods of Infection

If an infected file is opened and the macro is allowed to run, this virus attempts to lower the existing macro warning settings using a registry import file. This file is first written to the root of c: as "CyberNET.reg" then it is imported using REGEDIT.EXE.

Once an infected workbook or document are opened on the host system, the global template NORMAL.DOT is first attempted to be removed, then a new template is generated which contains an the infectious code.

Additionally, a file is created in the XLSTART folder named "CYBERNET.XLS" which will infect workbooks used on the system. This virus will remove files which may exist in the XLSTART folder.

Email propagation will occur also on applicable systems. This virus will check for the registry modification:

"CyberNET"="(C)2000 - Indonesia By AnomOke!"

If the key does not exist, or the value does not match, the email routine is executed. After sending copies of itself via email, it then sets the registry with the setting above.


Cybernet, OF97/Cybernet-A, X97M/Cybernet@mm

Virus Characteristics

This is a Word/Excel 97/2000 macro virus which arrives in a suspicious looking email through Outlook. This virus uses a technique similar to W97M/Melissa to spread via Outlook by selecting the first 50 entries in the available address book. This virus checks for a registry entry prior to sending the emails; if it exists already, the virus assumes the mass-mailing has already been performed.

AVERT has not received any customer samples of this virus at this time. If scanning this file using heuristic mode (Macro analysis, aka /MANALYSE), this virus will be detected since 4071 DATs and 4.0.70 engine as "New W97M".

This virus will arrive to a new host target via MAPI email (Outlook) with this format:

Subject = "You've GOT Mail !!!"
Body = "Please, saved the document after you read and don't show to anyone else. The document is also VIRUS DISREGARD the virus protection warning !!!"
Attached = infected .DOC file

This virus contains a comment line in the code which is not displayed:

'W97M/CyberNET (C)2000 - Indonesia By AnomOke!
"I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!!"

This virus contains a date activated payload which will attempt to reformat systems running Windows 9x operating system.

The author of this virus attempted to write this virus in an effort to avoid heuristic detection by either Symantec or NAI as evident by these comment line within the code:

'anti-heuristic for stupid Norton antivirus scanner
'anti-heuristic for stupid McAfee antivirus scanner

As mentioned previously in this description, if scanning this virus with VirusScan using heuristic mode (Macro analysis, aka /MANALYSE), this virus will be detected since 4071 DATs and 4.0.70 engine as "New W97M".

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:


Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!