McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat is detected as W97M/Generic. The virus contains two modules - ThisDocument, Kamilla and a form - frmAbout. On opening the infected document, the virus will replace text with

"Kamila"" atacks"
Your word processor is infected.
Code written by Otto Gutenberg.
Almaty, 2001

The virus will then change the user details in File/Properties/Summary Info - Author = "Otto von Gutenberg", Subject = "Kamila atacks your word processor" and Comments = "CAUTION: Don't open". On any day between 28th December and 3rd January, the virus will change Word Application caption to "Merry Christmas!!! Nice holidays for you". Word's macro protection will also be disabled.

The virus will also display the message Happy new Year!!! Have a nice holiday, and delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos . If the day is 16th December, the virus will cause the machine to exit windows. W97M/Lami exports its code to C:\kamila.dll, C:\kama.dll and C:\kamafrm.dll. These files are not infected.

Tools/Macro displays the message "Your word processor is infected" and exits Windows. Tools/Visual Basic Editor will also delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos .

Symptoms

- Macro warning disabled.
- The above messages displayed.
- The following files deleted from infected document directory between 28th December and 3rd January :

• *.sys
• *.drv
• *.dll
• *.dos

Method of Infection

Opening an infected document will directly infect the local Word environment and any document opened thereafter.

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as W97M/Generic. The virus contains two modules - ThisDocument, Kamilla and a form - frmAbout. On opening the infected document, the virus will replace text with

"Kamila"" atacks"
Your word processor is infected.
Code written by Otto Gutenberg.
Almaty, 2001

The virus will then change the user details in File/Properties/Summary Info - Author = "Otto von Gutenberg", Subject = "Kamila atacks your word processor" and Comments = "CAUTION: Don't open". On any day between 28th December and 3rd January, the virus will change Word Application caption to "Merry Christmas!!! Nice holidays for you". Word's macro protection will also be disabled.

The virus will also display the message Happy new Year!!! Have a nice holiday, and delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos . If the day is 16th December, the virus will cause the machine to exit windows. W97M/Lami exports its code to C:\kamila.dll, C:\kama.dll and C:\kamafrm.dll. These files are not infected.

Tools/Macro displays the message "Your word processor is infected" and exits Windows. Tools/Visual Basic Editor will also delete the files with the following extensions in the current document folder - *.sys", "*.drv", "*.dll", "*.dos .

Symptoms

Symptoms -

- Macro warning disabled.
- The above messages displayed.
- The following files deleted from infected document directory between 28th December and 3rd January :

• *.sys
• *.drv
• *.dll
• *.dos

Method of Infection

Method of Infection -

Opening an infected document will directly infect the local Word environment and any document opened thereafter.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants -

N/A