|
| |
July Killer
The W97M/JulyKiller.A is a rather unremarkable macro virus for Word 97. The virus is
obviously of Far Eastern origin - probably Chinese. It is a native W97M virus but, like
many other such Chinese viruses, most of it is unconverted WordBasic code - obviously its
author was not familiar with Visual Basic for Applications - the programming language of
Office 97 applications. The virus consists of a single VBA5 module named "a".
The module contains 4 subroutines with identical contents - AutoOpen, AutoClose, AutoNew
and AutoExec. Therefore, the virus receives control each time a document is opened,
closed, created, or when Word is started.
When it receives control, the first thing the virus does is to examine all add-ins
(accessible via Tools/Templates and Add-Ins of Word 97's menus) and unload all of those,
whose name is not Autoexec.dot. The virus then changes the path of Word's Startup folder
(accessible via Tools/Options/File Locations of the menus of Word 97) to C:\. Then it
turns off the built-in macro virus protection of Word 97.
If the virus is running from a document containing the word "Autoexec" anywhere
in its name, the virus checks whether any of the opened documents or the global template
is infected. (This is determined by checking for the presence of a module named
"a".) If neither of them is, the virus opens the document C:\Autoexec.dot (in a
way which prevents it from appearing on the list of Most Recently Used files on Word's
menu) and copies itself from that document to all opened documents and templates, the VBA
projects in which are not protected.
The virus then checks whether a file named "Autoexec.dot" is present in the root
directory of drive C:. If it is not, a new template is created, it is infected, and is
saved in a file with this name. Again, the virus takes care to prevent the name of this
file to appear on the MRU list.
The next action of the virus is to inspect all opened documents (except the one it is
running from) and templates. If their VBA projects are not protected, it looks there for
modules named AutoOpen, AutoClose, AutoNew and FileSave and removes them. This might be a
measure against another, competing virus, or against some unknown anti-virus product. The
virus then proceeds to infect these documents and templates.
Next, the virus performs some key and menu redirections. The key shortcuts Alt-F8 (default
for Tools/Macro/Macros) and Alt-F11 (default for Tools/Macro/Visual Basic Editor) are
redirected to perform File/Save As (both of them). Instead, Alt-F1 and Alt-F2 are set to
perform their actions (start the ToolsMacro dialog and VBA Editor respectively) - a kind
of "backdoor", so that the virus author (and those "in-the-know")
could still use them.
The virus also rebinds the Tools/Customize, Tools/Options, Tools/Templates and Add-Ins,
Tools/Macro/Macros and Tools/Macro/Visual Basic Editor menu items to execute its AutoClose
subroutine. However, the virus accesses these menu items by name - and it uses the Chinese
names for them - so, this rebinding will be successful only under the Chinese language
version of Word 97. Finally, the virus rebinds all items on the "Visual Basic"
command bar to its AutoClose subroutine and proceeds to save all opened documents.
The payload of the virus activates when the system data indicates that the current month
is July. If this is the case, the virus displays an input message box, asking the user
something in Chinese. I can't read Chinese, so I don't know what the message says. If the
user accepts the proposed default answer (also in Chinese) by clicking on the OK button,
the virus displays the message (this time in broken English) "You are wise,please
choose this later again,critically!" and exits.
If the user presses the Cancel button (or enters anything but the default response), the
virus keeps asking the same question two more times. Then it "loses patience",
displays the message
Stop it!you are so incurable to lose 3 chances! Now,god will punish you...
and modifies the user's C:\AUTOEXEC.BAT file, appending to it the line
deltree/y c:\
Usually this means that on the next reboot all files on drive C: will be removed.
Finally, the virus searches all running tasks for one containing the string "Visual
Basic" in its name (usually - the VBA Editor) and hides it - obviously, in an attempt
to prevent the user from debugging it.
In general, we do not think that this virus presents any serious threat - and it certainly
does not deserve the media attention it has received. It is simply just yet another
boring, stupid, badly written virus, created by somebody with more time on his hands than
brain in his head. It is slow and obvious and has no significant chances of surviving in
the wild. Of course, our anti-virus products have been updated to recognize, identify and
disinfect the virus (they already could detect it with our macro virus heuristics). The
virus has been given undeserved attention by the media. Such scare tactics are, at best, a
questionable practice of some anti-virus producers to get public exposure. In the long
run, it harms both the anti-virus industry and the users and only serves to boost the
virus writer's ego unnecessarily.
|
