Virus Profile: W97M/Chameleon.a

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/22/2000
Date Added: 9/26/2000
Origin: USA
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4097
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of "Chameleon.vbs" in the StartUp folder.

Methods of Infection

Opening an infected document modifies the global "" template to spread the infection.


W97M/Chameleon, W97M/Chameleon.gen, W97M/Chameleon.src, W97M/Chameleon.vbs, W97M/Quiet

Virus Characteristics

This polymorphic Word97/2000 macro virus contains the module "ThisDocument". When ran it performs the following tasks:

- Writes the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\MVP" = "Enabled by Total Konfuzion"
- Checks for the presence of this key value and tries to infect if absent
- Disables Microsoft's macro virus protection
- Disables save prompt for the template
- Disables the confirm older version conversion prompt
- Writes the virus code source to "C:\Windows\System\Chameleon.dll" and uses this file as a reference to insert the code into other files
- Write "C:\Windows\Start Menu\Programs\Startup\Chameleon.vbs" which displays the following message in a dialog box entitled "W97M/Chameleon":
"Greetz from Chameleon :)"
- On the 18th day of the month this message is displayed:
"Let me slip into something"
"a little more comfortable... :)"


Variants information
Virus Name Type Subtype Differences
W97M/Chameleon.c Virus Macro Writes Quiet.dll and Quiet.vbs. Uses Quiet.vbs to infect Dialog box entitled W97M/Quiet. No message on the 18th.
W97M/Chameleon.b Virus Macro No .vbs or .dll files dropped.
- Changes title of Microsoft Word to:
Mum.. Dad.. F**k U !!
When the day of the month is greater than 25:
- Replaces all instances of the word the with Mum.. Dad.. F**k U
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:


Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!