McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Macro.Word97.Titasic (AVP)

• W97M.Astia.Gen (NAV)

• W97M/Astia.AI (Panda)

• W97M/Astia.BD (F-Prot)

• WM97/Astia-BD (Sophos)

• Word97Macro/Astia.BD (CA)

Characteristics

This virus executes when a Word97 document is opened by the FileOpen macro and infects by disabling the WordBasic auto macros and showing the file open dialog. If the dialog was canceled, the virus enables WordBasic auto macros. If a file was opened, the virus enables WordBasic auto macros and runs the AutoOpen subroutine.

The main infection routine sets up the source and destination variable, depending on where the infection routine was called from and removes all code from the destination module unless it is infected by the virus. If the destination is not infected with the virus, it will infect the destination using the OrganizerCopy method. Then it will change the vbproject’s description to "Peace". If it is infecting the GlobalTemplate, the virus will change the SaveInterval property to 1, reset the Tools menu, creates a hotkey (Alt+M) for recording macros and then saves the ActiveDocument. No matter what it infected, the virus will sets the Record Macro menu item under the Tools>Macro menu to execute the ViewVBCode macro. If the destination document is already infected, the virus will just exit. If an error occurs during the infection routine (specifically 50289), the virus displays the following message with the caption "PAN1998" and exit:

"Anda Telah Bekerja Baik"
"Bersama membangun negeri "

After a document has been loaded via the AutoOpen macro, the virus disables the cancel key and calls upon the main infection routine. The virus checks all open document names. If it finds a name that does not equal the ActiveDocument name, it will set an infection pointer to the document and call upon the main infection routine. It loops until it has checked each open document. If the date is later than November 10th, 1998, the virus sets a timer event that will activate the "Action" subroutine in 22 minutes and 22 seconds. The virus then ends execution because it contains an end statement.

The "Action" macro adds a blank document and makes many changes to the active window. These changes include the caption being changed to "PAN1998", the zoom set to 100%, full screen view is turned off if it is on and on if it is on, the rulers are turned off, the horizontal and vertical scrollbars are turned off, the vertical ruler is turned off, the showing of text boundaries are turned off, the full screen toolbar is ordered to be second and the full screen toolbar’s caption is changed to "PAN1998" & the date. The virus fills the active window background with a random color, and attempts to show a UserForm named Peacer. The full screen view is then toggled again. The virus resets the full screen toolbar, disables the WordBasic auto macros, closes the ActiveDocument and enables the WordBasic auto macros.

When the visual basic editor is invoked via the ViewVBCode macro, the virus displays the following message:

"Sorry!"
"Sedang mengajukan kuesioner, bagaimana pendapat Anda mengenai PAN ? "

"Tentu lebih baik daripada partai yang bisanya hanya "
"berkelahi dan pura-pura mengatas-"

"namakan demokrasi, tapi nyatanya ??"

The caption of this message is "PAN1998" with a Yes and No button. If the user selects the Yes button, the virus sends a ‘m’ character to the currently focused window. The VB Editor will not be shown.

When Word is started via the AutoExec macro, the virus checks for infection in the GlobalTemplate. If the GlobalTemplate is not infected, the virus calls upon the main infection routine, disables the WordBasic auto macros, unloads all Add-Ins without removing them from the list and enables the WordBasic auto macros. It then disables the cancel key.

When Word exits via the AutoExit macro, the virus disables the WordBasic auto macros, closes all open documents, and will set the templates directory to the program directory and sets a Boolean variable to true. It checks through the Add-Ins collection for an add-in named "SNrml.dot" and will set a Boolean flag to false if it finds one. If the Boolean flag is true, the virus creates a new document and calls upon the main infection routine. It then saves the ActiveDocument in the Word startup directory as a document named "SNrml.src" and as a template named "SNrml.dot". The virus will keep these from being added to the recent file list. The virus will then force Word to close. If an error occurs in this subroutine the virus will enable WordBasic macros and exit the subroutine.

When the Macros dialog box is invoked via the ToolsMacro macro, the virus will enable the WordBasic auto macros and check each module in the ActiveDocument for modules named "ThisDocument", "NewMacros", "Peace" and "Peacer". If it finds a module without one of these names, it will delete all code from the module. If it finds a module named "NewMacros", it will check the MacroContainer object (the document object the virus is running from) to see if it is the ActiveDocument. If the MacroContainer is not the ActiveDocument, the virus will call upon the "ViewVBCode" macro. If the MacroContainer is the ActiveDocument, the virus attempts to execute the "ToolsMacro" subroutine in the GlobalTemplate, turn off all alerts, change the Macros dialog box macro description text to "Selamat bekerja dengan aman dan nyaman, di bawah lindungan Allah SWT, dan pemerintahan yang makmur serta adil selalu ", show this dialog, execute the selected macro if the dialog returns 1 or exit if anything else is selected and finally restore all alerts to their original state.

When the Templates and Add-Ins dialog box is invoked via the FileTemplates macro, the virus enables the WordBasic macros and displays the Templates and Add-Ins dialog.

When the Style dialog box is invoked via the FormatStyle macro, the virus will enable the WordBasic macros and display the Style dialog box.

After a document is closed via the AutoClose macro, the virus restores alerts to their original state, disables the SaveNormal prompt, the macro warning dialog and sets the SaveInterval property to 10. If the active window caption is not equal to "pan1998" and the ActiveDocument name contains the letters "Docume" and is not "SNrml.dot", the virus will call upon the main infection routine.

When Word is closed using the Exit menu item under the File menu via the FileExit macro, the virus will call the AutoExit macro.

When the Options dialog box is invoked via the ToolsOptions menu, the virus sets the default templates file path to "C:\Program Files\Microsoft Office\Templates" and show the Options dialog. If the dialog is closed the virus will change the default templates file path back to the program directory.

Symptoms

Method of Infection

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Macro.Word97.Titasic (AVP)

• W97M.Astia.Gen (NAV)

• W97M/Astia.AI (Panda)

• W97M/Astia.BD (F-Prot)

• WM97/Astia-BD (Sophos)

• Word97Macro/Astia.BD (CA)

Characteristics

Characteristics -

This virus executes when a Word97 document is opened by the FileOpen macro and infects by disabling the WordBasic auto macros and showing the file open dialog. If the dialog was canceled, the virus enables WordBasic auto macros. If a file was opened, the virus enables WordBasic auto macros and runs the AutoOpen subroutine.

The main infection routine sets up the source and destination variable, depending on where the infection routine was called from and removes all code from the destination module unless it is infected by the virus. If the destination is not infected with the virus, it will infect the destination using the OrganizerCopy method. Then it will change the vbproject’s description to "Peace". If it is infecting the GlobalTemplate, the virus will change the SaveInterval property to 1, reset the Tools menu, creates a hotkey (Alt+M) for recording macros and then saves the ActiveDocument. No matter what it infected, the virus will sets the Record Macro menu item under the Tools>Macro menu to execute the ViewVBCode macro. If the destination document is already infected, the virus will just exit. If an error occurs during the infection routine (specifically 50289), the virus displays the following message with the caption "PAN1998" and exit:

"Anda Telah Bekerja Baik"
"Bersama membangun negeri "

After a document has been loaded via the AutoOpen macro, the virus disables the cancel key and calls upon the main infection routine. The virus checks all open document names. If it finds a name that does not equal the ActiveDocument name, it will set an infection pointer to the document and call upon the main infection routine. It loops until it has checked each open document. If the date is later than November 10th, 1998, the virus sets a timer event that will activate the "Action" subroutine in 22 minutes and 22 seconds. The virus then ends execution because it contains an end statement.

The "Action" macro adds a blank document and makes many changes to the active window. These changes include the caption being changed to "PAN1998", the zoom set to 100%, full screen view is turned off if it is on and on if it is on, the rulers are turned off, the horizontal and vertical scrollbars are turned off, the vertical ruler is turned off, the showing of text boundaries are turned off, the full screen toolbar is ordered to be second and the full screen toolbar’s caption is changed to "PAN1998" & the date. The virus fills the active window background with a random color, and attempts to show a UserForm named Peacer. The full screen view is then toggled again. The virus resets the full screen toolbar, disables the WordBasic auto macros, closes the ActiveDocument and enables the WordBasic auto macros.

When the visual basic editor is invoked via the ViewVBCode macro, the virus displays the following message:

"Sorry!"
"Sedang mengajukan kuesioner, bagaimana pendapat Anda mengenai PAN ? "

"Tentu lebih baik daripada partai yang bisanya hanya "
"berkelahi dan pura-pura mengatas-"

"namakan demokrasi, tapi nyatanya ??"

The caption of this message is "PAN1998" with a Yes and No button. If the user selects the Yes button, the virus sends a ‘m’ character to the currently focused window. The VB Editor will not be shown.

When Word is started via the AutoExec macro, the virus checks for infection in the GlobalTemplate. If the GlobalTemplate is not infected, the virus calls upon the main infection routine, disables the WordBasic auto macros, unloads all Add-Ins without removing them from the list and enables the WordBasic auto macros. It then disables the cancel key.

When Word exits via the AutoExit macro, the virus disables the WordBasic auto macros, closes all open documents, and will set the templates directory to the program directory and sets a Boolean variable to true. It checks through the Add-Ins collection for an add-in named "SNrml.dot" and will set a Boolean flag to false if it finds one. If the Boolean flag is true, the virus creates a new document and calls upon the main infection routine. It then saves the ActiveDocument in the Word startup directory as a document named "SNrml.src" and as a template named "SNrml.dot". The virus will keep these from being added to the recent file list. The virus will then force Word to close. If an error occurs in this subroutine the virus will enable WordBasic macros and exit the subroutine.

When the Macros dialog box is invoked via the ToolsMacro macro, the virus will enable the WordBasic auto macros and check each module in the ActiveDocument for modules named "ThisDocument", "NewMacros", "Peace" and "Peacer". If it finds a module without one of these names, it will delete all code from the module. If it finds a module named "NewMacros", it will check the MacroContainer object (the document object the virus is running from) to see if it is the ActiveDocument. If the MacroContainer is not the ActiveDocument, the virus will call upon the "ViewVBCode" macro. If the MacroContainer is the ActiveDocument, the virus attempts to execute the "ToolsMacro" subroutine in the GlobalTemplate, turn off all alerts, change the Macros dialog box macro description text to "Selamat bekerja dengan aman dan nyaman, di bawah lindungan Allah SWT, dan pemerintahan yang makmur serta adil selalu ", show this dialog, execute the selected macro if the dialog returns 1 or exit if anything else is selected and finally restore all alerts to their original state.

When the Templates and Add-Ins dialog box is invoked via the FileTemplates macro, the virus enables the WordBasic macros and displays the Templates and Add-Ins dialog.

When the Style dialog box is invoked via the FormatStyle macro, the virus will enable the WordBasic macros and display the Style dialog box.

After a document is closed via the AutoClose macro, the virus restores alerts to their original state, disables the SaveNormal prompt, the macro warning dialog and sets the SaveInterval property to 10. If the active window caption is not equal to "pan1998" and the ActiveDocument name contains the letters "Docume" and is not "SNrml.dot", the virus will call upon the main infection routine.

When Word is closed using the Exit menu item under the File menu via the FileExit macro, the virus will call the AutoExit macro.

When the Options dialog box is invoked via the ToolsOptions menu, the virus sets the default templates file path to "C:\Program Files\Microsoft Office\Templates" and show the Options dialog. If the dialog is closed the virus will change the default templates file path back to the program directory.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants -

N/A