Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

W97M/Verlor.A

W97M/Verlor.A is a macro virus operating in the Microsoft Word 97 environment. It uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. The infection is manifested by existence of the module with the name Module in the infected document.
When an infected document is opened W97M/Verlor.A finds out the directory in which the operating system Windows (%windir%) is installed. If the virus finds the file tempad.dll or tempnt.dll there, it deletes it. Then it turns off the Word anti-virus protection and disables displaying of warning windows at writing into templates and at macros conversion. If the virus does not find in the global template in the module named Module a line with the note 'MyName = Overlord it exports its body into the file tempad.dll in the directory %windir% and attacks it. After infecting the template the virus attacks documents when they are being closed.
But when attacking a document the virus uses filename tempnt.dll as the name of the file into which it exports its code. Also this file is located in the directory %windir%.
If there is a file c:\Himem.sys the virus W97M/Verlor.A copies it into the file c:\Himem.sy_ and deletes the original file. The virus then writes names of infected documents and routes to them into the file c:\Himem.sys.
The virus contains an elaborated stealth mechanism. It copies the file win.ini into the file win._ni. Into the section [windows] of win._ni the virus adds the line run = " & windir & "\overlord.b.vbs. That causes that the script overlord.b.vbs will be run after each operating system restart. Moreover, the virus renames the file win._ni to win.ini and deletes the original file. It exports its code also into the file %windir%\overlord.b.dll.
The created file overlord.b.vbs ensures re-infection of the global template and of all documents from the file c:\Himem.sys.
When an attempt is made to display the Visual Basic editor the virus removes its code from the global template and opened documents; when the editor is closed it attacks them again.
In the virus body are the following groups of lines with a commentary:

'MyName = Overlord
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .B (1.1)
'Put this code in a module called "Module". This is another version of overlord.
'It uses a different stealth mechanism. Again however not perfect stealth,
'but perhaps also a nice attempt i hope :).

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.