Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Class.A

W97M/Class.A is a polymorphic macro virus operating in the Microsoft Word 97 environments. Its presence in system can be found out by file class.sys existing in the root directory of the disk C:. After opening an infected document the virus W97M/Class.A disables the Word protection against macro viruses, prohibits confirming conversion of documents to completes as well as of saving templates.
On the 31st day in a month it displays the following window with message:

The virus exports its code into the file c:\class.sys; upon attacking documents and global template it imports its code from that file. The virus code in the infected file cannot be seen in the Word list of macros by means of the menu item Tools/Macro because W97M/Class.A stores its module into the area "class".
Polymorphic mechanism of the virus is ingeniously simple. The W97M/Class.A inserts a line with a note between each line of the code and a line of its code. Text of the note is formed by name of the Word user, current time and date, name of the active printer and again the current time and date. The inserted line could look as follows:

'replicator7/7/98 8:17:40 PM//KILLER/HP7/7/98 8:17:40 PM

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.