Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Ftip

W97M/Ftip is a worm written in Visual Basic.  It spreads as an email attachment in the Microsoft Office environment.  It arrives as a file ftip.doc in attachment of an email message with subject "elekRE:".  In the message body is the following text:

Chtel si ftipy, tak tady je mas!!! ;)))

[doc]
---
Odchozí zpráva neobsahuje viry.
Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz).
Verze: 6.0.219 / Virová báze: 103 - datum vydání: 5.12.2000

(Meaning: You wanted jokes so here you have some! Outgoing message does not contain viruses. Checked by the AVG anti-virus system (http://www.grisoft.cz).
Version: 6.0.219 / Virus base: 103 – date of issue: 5.12.2000)

Instead of writing letters doc the worm writes the name of the current computer user.  The code of the worm itself starts by two lines with a commentary.  In the commentary we can identify the title which the author wanted to give to his creation and his signature.  The two lines are as follows:

S' W97/2k.i0nSt0rm
' Code by gl_st0rm

After reading the infected document in, the worm turns off displaying of warnings that could reveal its presence.  It prohibits, for example, displaying errors in Visual Basic, information on macros conversion and anti-virus protection.  In addition the worm sets the safety level for Microsoft Office to the value of 1 (the lowest value).  That is followed by sending out copies to the first 30 e-mail addresses from the address book. It records the fact that from this computer the worm has already been sent by creating a key in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\i0nSt0rm.  It sets the value of the registry to ...by gl.  This ensures that the worm will not send out more copies. In one of three cases the following window is displayed after the infected document is closed:

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.