Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/ColdApe.A

W97M/ColdApe.A is a macro virus operating in the Microsoft Word 97 environments. It attacks documents when they are closed and the global template normal.dot.
After opening an infected document the virus prohibits interruption of the application activity by keyboard, disables the Word anti-virus protection and confirmation of global template saving by the user. It also allows conversion of macros.
The virus finds out its presence in documents by checking the presence of the string 'ACM in the second line of its code. It immediately attacks the global template normal.dot. That causes that all new created documents will be attacked by the virus. To infect it uses the function AddFromString.
The virus finds out the value of the item AVM-DC in the system registry key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0. If this key does not exist it will set its value on the current date. By means of the system registry the virus also finds out whether the Windows Scripting Host is installed. If Windows Scripting Host is installed and the virus altered value of the abovementioned key in the system registry and, if at the same time the item AVM-VBS in the branch of the system registry HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0 does not have the value "Done, it will create the file happy.vbs in the root directory of disk C: and execute it.
The virus records creating of the file happy.vbs in the system registry so that it sets value of the item "AVM-VBS" in the branch HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0 to "Done".
In addition the virus creates file a4.vbs in disk C: root directory and executes it.
Note: In the following text the symbolic entry %windir% is used instead of the name of directory in which the operating system Windows is installed, as that may be because of obvious reasons different at any single installation.
File happy.vbs is the virus written in Visual Basic Script. It creates file avm.vbs in the directory %windir% and copies itself into the file. This script virus attacks all files with the extension VBS in the root directory on the disk on which Windows is installed, in the directories %windir%, %windir%/Desktop, %windir%/MyDocuments and %windir%/Startup. This script virus is from the viewpoint of function completely independent from the virus W97M/ColdApe.A.
At the end of the file happy.vbs, as well as of the virus W97M/ColdApe.A itself, there is the following text:

' Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia

If there is the mail client Microsoft Outlook installed on the infected computer, script in the file A4.VBS sends two messages by e-mail. The first of them is directed to the address avm@nym.alias.net, the second one to nick@virusbtn.com. The first address belongs obviously to the virus author and the message sent to him contents in the IP body only the address of the attacked computer. The second address belongs to the former editor of Virus Bulletin, magazine specialized on computer viruses. The message sent to this address contains in the body the following text:

Dear Nicky... my name is name_of_infected_computer and I want to make hot monkey love with you. You anti-virus stud!
Text “name of infected computer” is altered depending on the real name of the computer that infected by the virus.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.