Content

W97M/Trolox

Type
Virus
SubType
Macro
Discovery Date
07/04/2001
Length
N/A
Minimum DAT
4072 (04/05/2000)
Updated DAT
4072 (04/05/2000)
Minimum Engine
5.1.00
Description Added
03/08/2003
Description Modified
03/08/2003 1:09 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as W97M/Generic. On opening the infected document, the virus will set the security level for Word2K to low and export its code to C:\MSWIN.DLL and then delete this file. Tools/Macro and Tools/Visual Basic Editor will display the following message:

Internal Error. Word is unable to activate this command

If day is 3rd of July, the virus will set the Word application background to blue and launch notepad and attempt to insert the message:
'FEEL MY WRATH.......'

If day is 4th of July, the virus will set the Word application background to blue and delete the following files:

  • C:/My Documents/*.*
  • C:/Program Files/Internet Explorer
  • C:/Windows/*.*
  • C:/Windows/System
  • C:/Windows/System32/Drivers
The virus will delete the C:/My Documents. The following message will then be displayed:

Happy July 4th!!

Symptoms

The above messages on the 3rd and 4th of July. The above files deleted on July 4th.

Method of Infection

Opening an infected document will directly infect the local Word environment and any document opened thereafter.

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Macro.Word97.Wrath (AVP)
  • W97M.Trolox.A (NAV)

Characteristics

Characteristics -

This threat is detected as W97M/Generic. On opening the infected document, the virus will set the security level for Word2K to low and export its code to C:\MSWIN.DLL and then delete this file. Tools/Macro and Tools/Visual Basic Editor will display the following message:

Internal Error. Word is unable to activate this command

If day is 3rd of July, the virus will set the Word application background to blue and launch notepad and attempt to insert the message:
'FEEL MY WRATH.......'

If day is 4th of July, the virus will set the Word application background to blue and delete the following files:

  • C:/My Documents/*.*
  • C:/Program Files/Internet Explorer
  • C:/Windows/*.*
  • C:/Windows/System
  • C:/Windows/System32/Drivers
The virus will delete the C:/My Documents. The following message will then be displayed:

Happy July 4th!!

Symptoms

Symptoms -

The above messages on the 3rd and 4th of July. The above files deleted on July 4th.

Method of Infection

Method of Infection -

Opening an infected document will directly infect the local Word environment and any document opened thereafter.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants -

    N/A