Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Class.D

W97M/Class.D is a polymorphic macro virus operating in the Microsoft Word 97 environments. Its presence in system can be found out by file class.sys existing in the root directory of the disk C:. From the viewpoint of function it is identical with the virus W97M/Class.B.
After opening an infected document the virus W97M/Class.D disables the Word protection against macro viruses, prohibits confirming conversion of documents to completes as well as of saving templates.
Starting with June the virus displays on the 14th day in a month the following window with message:

Text in the window is altered, instead of name "Doc" the virus always uses the name of the Word user which it finds out by means of the variable Application.UserName.
The virus exports its code into the file c:\class.sys; upon attacking documents and global template it imports its code from that file. The virus code in the infected file cannot be seen in the Word list of macros by means of the menu item Tools/Macro because W97M/Class.D stores its module into the area "class".
Polymorphic mechanism of the virus is ingeniously simple. The W97M/Class.D inserts a line with a note between each line of the code and a line of its code. Text of the note is formed by name of the Word user, current time and date, name of the active printer and again the current time and date. The inserted line could look as follows:

'replicator12/17/98 4:18:53PM//KILLER/HP PMwlogoatClippit

In the virus code there is a line with a note, which is the signature of the author:

'Class.Poppy v 1.2 by VicodinES /TNN /CB

When compared to W97M/Class.B the variant W97M/Class.D contains one extra activity which will run depending on the number of code lines in the main module of the Word global template – in the file normal.dot. By manipulating the system registry in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion the virus alters name of the registered Windows to “VicodinES /CB /TNN" and name of the company to which the Windows copy is registered to "-(Dr. Diet Mountain Dew)-."

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.