This is a class module macro virus for Word97/2000 documents. This virus does not contain a damaging payload. This virus contains a date activated payload of displaying a message box. This virus will lower the macro warning settings on the host system.
This virus writes a temp file to the root of the C: drive which contains the virus source code and transfers this to new host documents.
If the date is August 15, this message will be displayed:
"Today is Independence day."
This virus writes user information to a file and sends this file via FTP to an FTP account. The information gathered are the following:
"Date & Time: [dddd, d mmm yyyy hh:mm:ss AMPM]"
"Processor Type: [ProcessorType]"
"Free Disk Space: [FreeDiskSpace]"
The information is gathered through the use of "system variables" or values which are available using reserved variable names.
This information is saved to a file in the root of C: as a random file name such as "su7892.sys". A script file is then created named "netacc.vxd" containing ftp account information (possibly the virus author). This virus then runs a shell process to ftp the information file to the ftp account. The account is named "surveyor" and is located on "home.fiberia.com".
These comments exist in the source of the virus code:
' Surveyor, Developed by:
' An MCA Student
' School Of Technology And Applied Sciences
' Mahatham Gandhi University Regional Center
' Edappally, Kochi 24
' 16th March 2000