Selected viruses, spyware, and other threats: sorted alphabetically
W97M/Story.A represents a combination of a macro virus for Microsoft Word and a worm for IRC client mIRC.
After an infected document is opened the virus turns off the Word anti-virus protection, it enables conversion of documents and saving of global template without confirming dialogue, it disables screen renewal and interruption by means of a key.
The virus checks whether there is the text "Jack-In-The-Box" in the global template Normal.dot and in the third line of the active document.
If the virus does not find the text it infects the global template and/or the active document.
If the virus is activated from the global template Normal.dot it searches for the file C:\mirc\mirc32.exe. In that way the virus tries to find out the presence of IRC client mIRC. The given location is used at standard mIRC installation.
If the file C:\mirc\mirc.ini exists the virus deletes it and replaces it by a new file which it creates. Then the virus is copied into the file C:\Windows\Story.doc – but only in case that this file is not yet on the disk.
To make its detection and removal more difficult the virus disables the Microsoft Word menus Tools/Macro, Tools/Customize, View/Toolbars and View/Status Bar.
Activity of the file mirc.ini
File mirc.ini is an initializing IRC file of mIRC client. NOD32 detects it as mIRC/Story.A.
Upon running the file the internal variables are set and the author of the virus is notified that an attacked computer is connected to IRC. Contents of the file C:\mirc\mirc.ini are copied into the file C:\Windows\script1.ini.
The attacked computer offers by means of IRC the infected file C:\Windows\Story.doc for a download. At the same time it sends out a message with the text:
Hey, I can't talk right now but I wanted to send you this file. It has a funny story you should read, and also has macros inside that protect you from a lot of viruses. Just open the document, enable the macros, and if you are infected it will get rid of the virus
If someone invites the user of the attacked computer to a different IRC channel, after being connected the virus fist sends him a message with the following text:
I'm a little busy so I can't talk much now. I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses. Just enable the macros when the prompt comes up and it will scan for any viruses and clean them.
Almost immediately the virus sends the infected file C:\Windows\Story.doc.
If someone on IRC uses words containing some of the strings script, worm, virus, infect, Jack, Box, macro, Story.doc, mIRC on the attacked computer will ignore him.
After disconnecting from IRC the virus copies the file C:\Windows\script1.ini into the file C:\mirc\mirc.ini.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.