Kaspersky Threats

Class

Platform

Description

Technical Details

This worm spreads via IRC channels and infects MS Word documents. The virus itself is a Word document containing a macro named Mumps.

Installation

When opened, the file will:

attempt to disable the Security menu in the Macro menu
disable the ban on activating macros in the Windows system registry
create a file named Mumps.drv in C:Windows directory and writes the code of the macro to this file. This file is then used to infect all open Word documents
save the active document to the hard drive under the following names:

 C:WindowsFAQ.doc
 C:Program FilesMicrosoft OfficeOfficeSTARTUPMumps.dot

commences propagation via IRC.

Propagation via IRC

The worm modifies a file named script.ini file. This means the file C:WindowsFAQ.doc will automatically be sent to all users of the channel used by the infected computer.

Signs of infection

When the user tries to open the HelpAbout menu, the worm changes the background colour of the document to dark blue. Letters will appear in white. It also open notepad.exe displaying the following text:

 "Windows has low memory resources. Please restart your Windows....."

If the user tries to print the current document and the system clock is showing 59 seconds, a Message Box with the following text will be displayed:

 "Your printer driver is not compatible with Windows. Please install another printer drivers."

If the user tries to view the code of the Macros or open the ToolsMacro menu, a Message Box with the following text will be displayed:

 "There is something a trouble with this function..."

Other

The worm attempts to register C:WindowsFAQ.doc in the system registry as the default signature for Microsoft Outlook 5.0. The file will then automatically be added to all outgoing mail.

Class	IRC-Worm
Platform	MSWord
Description	Technical Details This worm spreads via IRC channels and infects MS Word documents. The virus itself is a Word document containing a macro named Mumps. Installation When opened, the file will: attempt to disable the Security menu in the Macro menu disable the ban on activating macros in the Windows system registry create a file named Mumps.drv in C:Windows directory and writes the code of the macro to this file. This file is then used to infect all open Word documents save the active document to the hard drive under the following names: C:WindowsFAQ.doc C:Program FilesMicrosoft OfficeOfficeSTARTUPMumps.dot commences propagation via IRC. Propagation via IRC The worm modifies a file named script.ini file. This means the file C:WindowsFAQ.doc will automatically be sent to all users of the channel used by the infected computer. Signs of infection When the user tries to open the HelpAbout menu, the worm changes the background colour of the document to dark blue. Letters will appear in white. It also open notepad.exe displaying the following text: "Windows has low memory resources. Please restart your Windows....." If the user tries to print the current document and the system clock is showing 59 seconds, a Message Box with the following text will be displayed: "Your printer driver is not compatible with Windows. Please install another printer drivers." If the user tries to view the code of the Macros or open the ToolsMacro menu, a Message Box with the following text will be displayed: "There is something a trouble with this function..." Other The worm attempts to register C:WindowsFAQ.doc in the system registry as the default signature for Microsoft Outlook 5.0. The file will then automatically be added to all outgoing mail.

IRC-Worm.MSWord.Anumps

Technical Details

Installation

Propagation via IRC

Signs of infection

Other