Class | Virus |
Platform | MSWord |
Description |
Technical DetailsThis virus contains two macros in one Module, “ThisDocument,” and the macros have different names in documents and NORMAL.DOT:
The virus infects the global macros area upon the opening of an infected document. While infecting, the virus exports virus code to the C:CLASS.SYS and inserts it into NORMAL.DOT. Documents are infected in the same way. The virus mutation (polymorphic) routine inserts comments into virus code, containing a user name, current date and time, and information about the active printer. The virus uses an effective way to hide its code. By using special WordBasic operators, the virus installs its module, not into the standard area of macro programs, but into the area of Word classes – the area of standard routines that handle Word events, i.e., Word kernel. The virus appends its code to documents and templates, not as a user application (macro program), but as a “native” Word component. As a result, the virus is not visible in Tools/Macro and File/Templates (for what reason does the virus then hook ToolsMacro?) The virus disables the AutoProtection. On the 31st, the virus displays the MessageBox:
Class.dEach month from June until December on day 14, the virus displays the message:
The virus also changes values in the registry keys:
Class.bsUpon infection, this virus modifies the system registry by writing “Clazz” as the registered owner of this Windows copy. Upon trying to view, the virus codes it with a probability of 25% and sets the “Clazz” password for active document, or, with the same probability, deletes all files in the current folder. |
Find out the statistics of the threats spreading in your region |