Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

W97M/VMPCK1.BY

W97M/VMPCK1.BY is a macro virus operating in the Microsoft Word 97 environment. It uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. Presence of the virus is manifested by existence of the module with the name xix in the infected document.
When an infected document is opened W97M/VMPCK1.BY is finding out whether the module named xix exists in the global template. If there is no module of that name there the virus turns off the Word anti-virus protection and disables displaying of warning windows at writing into templates and at macros conversion. After that the virus exports its code to the file c:\xix.drv and attacks the template from there. The virus attacks documents when they are being opened, when Visual Basic editor or menu items tools/Macro and Tools/Templates and accessories are used.
The virus has several ways of manifestation. Upon attacking files it displays with the chance of 1:100 the following window with text:

Next manifestation is activated always on the 8th day in a month. In an opened document the virus substitutes the string "sim" by the string "nao r regionalizaçao!". When making this change the virus disables access to menu items which could reverse this operation.
The last way of the virus manifestation is change of data in the document properties. The author is changed to "VOTA NAO R REGIONALIZAÇAO! SIM AO REFORÇO DO MUNICIPALISMO!", name to "JOAO JARDIM x8?! PORRA! DIA 8 VOTA NAO!" and notes to "A REGIONALIZAÇAO É UM ERRO COLOSSAL!".
In the virus code are the following lines with notes:

'VMPCK 1.0d w/Random Path + Update
'=================================
'Code Written by VicodinES
'=================================
'Poppy ID : 5083-QyUo94005083.c
'=================================
'This Virus Is: Xix.Poppy
'VMPCK v1.0d [The Final Version?]

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.