Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: Class.Poppy

W97M/Class.B is a polymorphic macro virus operating in the Microsoft Word 97 environments. Its presence in system can be found out by file class.sys existing in the root directory of the disk C:. This version derived from the virus W97M/Class.A.
After opening an infected document the virus W97M/Class.B disables the Word protection against macro viruses, prohibits confirming conversion of documents to completes as well as of saving templates.
Starting with June the virus displays on the 14th day in a month the following window with message:

Text in the window is altered, instead of name "Doc" the virus always uses the name of the Word user which it finds out by means of the variable Application.UserName.
The virus exports its code into the file c:\class.sys; upon attacking documents and global template it imports its code from that file. The virus code in the infected file cannot be seen in the Word list of macros by means of the menu item Tools/Macro because W97M/Class.B stores its module into the area "class".
Polymorphic mechanism of the virus is ingeniously simple. The W97M/Class.B inserts a line with a note between each line of the code and a line of its code. Text of the note is formed by name of the Word user, current time and date, name of the active printer and again the current time and date. The inserted line could look as follows:

'replicator12/17/98 4:18:53PM//KILLER/HP PMwlogoatClippit
In the virus code there is a line with a note, which is the signature of the author:
'Class.Poppy v 1.2 by VicodinES /TNN /CB

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.