Virus.MSWord.Afeto

Class Virus
Platform MSWord
Description

Technical Details

This is an Internet worm that spreads through e-mail by using Microsoft Outlook. This worm is Word macro-program written in VBA (the macro-language for Microsoft Office).

When an infected document is opened, the worm macro gains contorl, scans all local drives and looks for a JPG-file less than 50,000 bytes in size. The first found file is then inserted in an active document (current infected document).
The worm then creates new messages and sends them. New messages are created for the first eight messages in the MS Outlook “Sent items” folder. The messages are created according to the following involved rules:

  • as an address in the field “To:” the worm sets the address from a message in the “Sent items” folder
  • as a subject and body message, it sets the subject and body from next message in the “Sent items” folder
  • an active document with the worm body is attached to the message

For example, the “Sent Items” folder contains the following messages:

Message 1

To: name1@domen1.com

Subject: Hello!
Text: Do you remember me?

Message 2

To: address2@host2.com
Subject: Good bye.
Text: Today I’m leaving…

Message 3

To: nick3@server3.com

Subject: News.
Text: Great news.

Outgoing messages (in folder “Outbox”) with a worm will appear in the following way:

Message 1

To: name1@domen1.com

Subject: Good bye.
Text: Today I’m leaving…

Message 2

To: address2@host2.com

Subject: News.

Text: Great news.

Message 3

To: nick3@server3.com e.t.c.

Attach: Infected document

An infected document contains a JPEG file that has been selected by the worm as well as a worm macro-program.

In this way, the worm sends an infected message to the first eight recipients, whose addresses have been found in the folder “Sent items”. But for all this, in many instances, the worm breaks confidential correspondence.