|
Details:
This virus hooks the following macros:
- FILESAVE
- FILEPRINT
- FILECLOSE
- FILEPRINT
- FILEEXIT
- TOOLSMACRO
- FILETEMPLATES
- VIEWVBCODE
- FILENEW
- AUTOOPEN
- AUTOEXIT
- AUTOEXEC
Upon execution, it changes the document summary information to the following:
- Author = "VicodinES"
- Title = "Another W97M/Cartman.Poppy Infected Document" Subject= "Hello from VicodinES and The Narkotic Network...we mean you no harm"
- Keywords = "| VicodinES | Klonopin.Jones | Fastin.Blee |"
This virus creates MSFILE.BAT in the folder c:\windows\startm~1\programs\startup\. This created batch file deletes the global template file (usually NORMAL.DOT) in the c:\progra~1\micros~1\templa~1 and c:\progra~1\micros~2\templa~1 folders. The virus then deletes itself.
The file MSFILE.BAT is placed in the startup folder . This means that during startup, MSFILE.BAT is automatically executed and the global template is deleted.
When a user opens Tools/Macro or Tools/Templates menu items, the contents of the active document is deleted.
This virus tries to connect to the following Web site: http://www.yahoo.com/News_and_Media/Television/Shows/Cartoons/South_Park/
This virus then prompts a user to save the active document. If there are no open documents, the virus does not connect to the Web site but displays a message box.
It also contains the following text:
W97M/Cartman.Poppy By VicodinES (The Kyle of The Virus Underground) Macro Virus for Word97 "The Fat-ass Macro97 Engine v2.3 featuring Starvin Marvin Technology"
Analysis By: Jose Carlo M. Cequeña
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
