|
Sunday, 03 July 2005 |
W97M.Enife - is a Microsoft Word macro virus that infects the Microsoft Word global template and other Word documents. It also deletes files and disables Microsoft Word security settings.
Type: Virus
Infection Length: 2,433 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W97M.Enife creates a module called "Efine" in the global template file. The virus will also run when the Macro function is requested from the Tools menu in Microsoft Word.
When an infected Microsoft Word document is opened, the virus performs the following actions:
Modifies the following registry key:
"Level" = "1"
in the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftOffice9.0WordSecurity
to disable the Microsoft Word security settings.
Adds the values:
"Anchor Color" = " 139,69,19"
"Anchor Color Visited" = " 255,255,0"
"Background Color" = " 0,0,255"
"Text Color" = " 255,0,0"
"Use Anchor Hover Color" = " yes"
to the registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings
to alter Internet Explorer colors.
Deletes the following files:
C:Arquivos de programas*.*
C:Program Files*.*
C:My Documents*.*
C:Meus Documentos*.*
C:WINDOWSCommand*.*
C:WINDOWSTemp*.*
C:WINDOWSHelp*.*
C:WINDOWSFonts*.*
NOTE: Directory path names are hard coded.
Displays the following message box:
Title: Macro virus informa!!
Message: Virus fez uma limpeza!
Displays the following message box:
Title: Virus esclarece!!
Message: Virus deletou arquivos!!
and deletes the following files:
C:WINDOWS*.com
C:WINDOWS*.ini
C:WINDOWS*.txt
C:WINDOWS*.gif
if the day of the month is 7, 15, 21 or 29.
Note: The path is hard coded.
When the document is closed, the virus saves it as C:WindowsVirtual[any number between 1 and 55].doc. and writes the "Efine" module to the global template file.
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftOffice9.0WordSecurity
In the right pane, reset the value if appropriate:
"Level" = "1"
Navigate to the subkey:
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings
In the right pane, reset the value if appropriate:
"Anchor Color" = " 139,69,19"
"Anchor Color Visited" = " 255,255,0"
"Background Color" = " 0,0,255"
"Text Color" = " 255,0,0"
"Use Anchor Hover Color" = " yes"
Exit the Registry Editor.
To delete the value from the registry
|
